Search Information Security site


Main menu

Top 10 Changes to Information Policies, Standards, and Procedures

Significant updates have been made to UVA information policies, standards, and procedures. The results should not only improve the security of our information technology environment, but also provide improved guidance for our community as we all strive toward compliance. Unless otherwise noted below, all changes are effective immediately.  These policies address the management of IT resources and University information and provide a framework for minimizing risks.

We encourage you to review and familiarize yourself with these changes and encourage you to seek assistance from technology experts (i.e. Local Support Partners) in your areas. You may learn more about these updated policies, standards, and procedures on our Information Technology Policies, Standards, & Procedures webpage.  For questions or concerns please speak with your Local Support Partner (LSP) or email University Information Security at [email protected].

Top 10 Changes (+1 bonus):

  1. Streamlined the number of information technology policies from 26 to 4, and the number of standards and procedures from 71 to 31.
  2. Defined a new policy area:  Privacy and Confidentiality of University Information (IRM-012)
  3. New data classification level:  Internal Use
  4. New Policy, Standard, and Procedures Exception process
  5. Defined approval process for new business processes involving Highly Sensitive Data or Sensitive Data
  6. Approvers have been clearly defined, and the process to request approval has been clarified.
  7. Security awareness training for all non-student users is now required annually, effective March 1st, 2018.
  1. The Information Security-Risk Management (IS-RM) assessment program uses an online tool, and assessment completion is now required annually, effective March 1st, 2018.
  2. Reporting of information security incidents is now required within one (1) hour of becoming aware of the incident.
  3. Access to electronic records of the deceased has been updated based upon recent changes to state law.

Let's take these changes up to an eleven!

  11. Established the requirements for obtaining third and fourth level subdomain names on

Report an Information
Security Incident

Please report any level of incident, no matter how small. The Information
Security office will evaluate the report and provide a full investigation if appropriate.

Complete Report Form