Search Information Security site

 

Main menu

University Data Protection Standards (UDPS 3.0)

Table of Contents

1.  Purpose and Background
2.  Standards
     a) Using the Standards
     b) Data Sensitivity Classifications and Examples
     c) Acronyms Used
     d) Standards Grid
     e) Responsibility for Data
     f) Data in Transmission
     g) Data Storage and Destruction
     h) Shared Devices
     i) Individual-Use Electronic Devices
     j) Assessing and Managing Risk
3.  Definitions
4.  Related Links
5.  Exceptions

[Return to Library]

1.  Purpose and Background

The University of Virginia is strongly committed to maintaining the security and privacy of confidential personal information and other data it collects or stores. It expects all those who store such information to treat these data with the utmost care in order to protect the privacy and legal rights of the University community.  In order to guide University data users in achieving this objective, the University has developed these University Data Protection Standards (UDPS) to highlight the requirements for handling and protecting University data, whether the information is categorized as highly sensitive, sensitive, internal use, or public.  To maximize the accessibility and usability of this document, the UDPS 3.0 is also available as a PDF.  (The term moderately sensitive data has been changed to sensitive dataThe definition remains the same.)

This standard applies to all University data, and does not supplant federal and state laws and regulations, legal requirements, or contractual obligations for protecting data.  This standard applies to all users who electronically store, collect, transmit, oversee, or display University data.  As detailed in the Data Protection of University Information (IRM-003), all users must handle data in compliance with the UDPS. Moreover, following these standards is consistent with the University's standards for Highly Sensitive Data Protection Standard, Highly Sensitive Data Protection Procedures and Records Management policies.

[Table of Contents]

2.  Standards

USING THE STANDARDS

The University Data Protection Standards are divided into different functional groups. For each function, there is a defined standard based on the sensitivity of the data involved. These are intended to be baseline standards. Applying stricter controls may provide additional security. For example, an executive data steward may designate otherwise sensitive data under his or her responsibility as highly sensitive for purposes of these standards.  To determine which standard applies in a given instance:

  1. Determine the sensitivity level of the data involved, whether it is highly sensitive, sensitive, internal use, or public.
  2. If a system or device contains data of different sensitivity levels, the standards for the most sensitive data on the system or device must be followed for the entire system or device.
  3. For any standard labeled “recommended, but not required,” the standard should be followed unless there is a strong, documented justification for not doing so.

Data Sensitivity Classifications and Examples

The University's Data Protection of University Information (IRM-003) establishes four data classifications of sensitivity: highly sensitive data, sensitive data, internal use data, and public data.  Listed in the table that follows are examples of data within each classification. Jump to a table section using the following links:

a. Highly Sensitive Data

b. Sensitive Data

c. Internal Use Data

d. Public Data

 

Highly Sensitive Data

Highly sensitive data are explicitly defined in the University’s Data Protection of University Information (IRM-003) policy.

Examples:

  • Any personal information that can lead to identity theft if exposed, e.g. Social Security numbers, passport numbers, driver’s license numbers, military identification numbers
  • Any form of personally identifying information (PII) in combination with social security number (SSN), driver’s license number, passport number and/or military ID number.  For example, computing ID and driver’s license number, or home address and SSN
  • Financial account number in combination with any required security code, access code, or password that would permit access to a resident's financial accounts
  • Credit card or debit card number, including any cardholder data in any form on a payment card
  • Medical information that reveals an individual’s health condition or medical history; this includes, but is not limited to, HIPAA-protected information
  • Any store or file of passwords or user-ids and passwords on any multi-user system or computer

Note that credit card numbers can never be stored either alone or in combination with any other identifiers.

    Sensitive Data

    Sensitive is the default classification for all data that is not explicitly defined as highly sensitive data, may be held from release under FOIA, or that is not intended to be made publicly available.

    Examples:

    Internal Use Data

    Internal use data is classified as a public record available to anyone in accordance with the Virginia Freedom of Information Act (FOIA) but is not intentionally made public (see the definition of public data).  For a complete list, see Code of Virginia § 2.2-3700 Virginia Freedom of Information Act.

    Examples:

    • Salary information
    • Contracts
    • Specific email correspondence not otherwise protected by a FOIA exemption

    Public Data

    Public data is intentionally made available to the public

    Examples:

     

     

    Acronyms Used

    The following acronyms are used throughout this document. Occasionally, other acronyms may appear that are hyperlinked to additional relevant information.

    FERPA: Family Educational Rights and Privacy Act (protects student information)

    FOIA:  Virginia Freedom of Information Act

    HIPAA: Health Insurance Portability and Accountability Act (protects patient information)

    Health IT: Health Information and Technology

    InfoSec: University Information Security office

    IT: information technology

    ITS: Information Technology Services

    VP: Vice President

    University Data Protection Standards

    The following tables are divided into six areas of data protection:

    Each table must be carefully reviewed to determine all standards that apply to a particular data set and/or scenario.

    Click the following links to jump to a section of the Responsibility for Data table:

    a. UVA Information Security Office

    b. Vice Presidents and Deans

    c. Department Managers and Chairs

    d. Faculty, Staff, Student Workers, and Contractors

    e. IT Personnel

    Responsibility for Data

    Role

    Highly Sensitive Data

    Sensitive Data

     Internal Use Data

    Public Data

    UVA Information Security Office

    Approve requests from faculty and staff to store highly sensitive data on individual-use computers, mobile devices, and electronic media. 

    UVA Information Security must review and approve any request to store HSD on individual-use devices or media.

    No explicit requirement.

    No explicit requirement.

    No explicit requirement.

    Evaluate requests from faculty and staff to store highly sensitive data on individual-use electronic devices and electronic media to confirm that such storage is necessary to meet essential departmental needs.

    Forward confirmed requests to the appropriate VP or Dean for approval.

    No explicit requirement.

    No explicit requirement.

    No explicit requirement.

    Evaluate requests to outsource the management, storage, transmission, and/or collection of highly sensitive data.  This review and approval may involve the Health Information and Technology when appropriate.

    When outsourcing, departments may use University-contracted services designated for this data classification (e.g. UVaBox).   Any other outsourcing requires review and approval by UVA Information Security, the same as is required for HSD.

    Consultation with UVA Information Security recommended, but not required.

    No explicit requirement.

    Vice Presidents and Deans

    Accountable for the security of highly sensitive data stored on shared and individual-use electronic devices, electronic media, and physical media used by their departments, faculty and staff as detailed in University Use of Highly Sensitive Data

    Same as for highly sensitive data.

    Accountable for the security and integrity of data stored and used by their departments, faculty, and staff.

    Same as for Internal Use Data.

    Approve requests from faculty and staff to store highly sensitive data on individual-use computers, mobile devices, and electronic media. 

    UVA Information Security must review and approve any request to store HSD on individual-use devices or media.

    No explicit requirement.

    No explicit requirement.

    No explicit requirement.

    Approve any plans within the associated departments to outsource management of highly sensitive data, including applications and/or computing devices housing such data, to parties’ external to the University.

    UVA Information Security office must review and approve any outsourcing that involves highly sensitive data.  This review and approval must involve the Information Security Office within Health Information and Technology when appropriate.  Furthermore, approved cloud vendors (e.g., outsourcing) must be reviewed annually.  The review must follow the steps outlined in the external Vendor Security Review standard which includes a requirement that the business unit associated with the service or application request an external assessment from the vendor on an annual basis and provide the documentation to University Information Security for review.

    When outsourcing, departments may use University-contracted services designated for this data classification (e.g. UVaBox). Any new outsourcing requires review and approval by UVA Information Security, the same as is required for HSD.  Furthermore, if the outsourcing involves mission critical services or applications it must be reviewed annually.  The review must follow the steps outlined in the external Vendor Security Review standard which includes a requirement that the business unit associated with the service or application request an external assessment from the vendor on an annual basis and provide the documentation to University Information Security for review.

    If the outsourcing involves mission critical services or applications it must be reviewed annually.  The review must follow the steps outlined in the external Vendor Security Review standard which includes a requirement that the business unit associated with the service or application request an external assessment from the vendor on an annual basis and provide the documentation to University Information Security for review.

    If the outsourcing involves mission critical services or applications it must be reviewed annually.  The review must follow the steps outlined in the external Vendor Security Review standard which includes a requirement that the business unit associated with the service or application request an external assessment from the vendor on an annual basis and provide the documentation to University Information Security for review.

    Department Managers and Chairs (e.g. direct reports to VPs and Deans; Directors)

     

     

     

     

     

     

     

     

     

     

     

     

     

     

     

     

     

     

     

     

     

     

     

     

     

     

     

     

     

     

     

     

     

     

     

     

     

     

     

     

     

     

     

    Department Managers and Chairs (e.g. direct reports to VPs and Deans; Directors)

     

     

     

    Hire highly skilled IT professionals [scroll to appropriate career path description] to administer departmental computers on which highly sensitive data are stored. Make information security a top priority for IT staff, and ensure they have sufficient time, authority, and on-going training to address information security needs.

    Same as for highly sensitive data.

    Highly recommended, but not required..

    No explicit requirement.

    Evaluate requests from faculty and staff to store highly sensitive data on individual-use electronic devices and electronic media to confirm that such storage is necessary to meet essential departmental needs.  
    Evaluation must include consultation with, and approval from UVA Information Security before forwarding to the VP or Dean for approval.

    Forward confirmed requests to the appropriate VP or Dean for approval.

    Review and approval from UVA Information Security is recommended but not required.

    No explicit requirement.

    No explicit requirement.

    Evaluate requests to outsource management, storage, transmission, and/or collection of University data. UVA Information Security office must review and approve any outsourcing that involves highly sensitive data.  This review and approval must involve the Information Security Office within Health Information and Technology when appropriate.  Furthermore, approved cloud vendors must be reviewed annually.  Responsible for ensuring the review follows the steps outlined in external Vendor Security Review standard which includes a requirement that the business unit associated with the service or application request an external assessment from the vendor on an annual basis and provide the documentation to University Information Security for review.

    Same as for highly sensitive data, except if the outsourcing involves mission critical services or applications it must be reviewed annually.  The review must follow the steps outlined in the external Vendor Security Review standard which includes a requirement that the business unit associated with the service or application request an external assessment from the vendor on an annual basis and provide the documentation to University Information Security for review.

    If the outsourcing involves mission critical services or applications it must be reviewed annually.  The review must follow the steps outlined in the external Vendor Security Review standard which includes a requirement that the business unit associated with the service or application request an external assessment from the vendor on an annual basis and provide the documentation to University Information Security for review. If the outsourcing involves mission critical services or applications it must be reviewed annually.  The review must follow the steps outlined in the external Vendor Security Review standard which includes a requirement that the business unit associated with the service or application request an external assessment from the vendor on an annual basis and provide the documentation to University Information Security for review.

    Maintain an updated inventory of departmental servers storing highly sensitive data (including device name and physical location) on file with UVA InfoSec, which will share the inventory with the Information Security Office within Health Information and Technology as appropriate.

    Maintain an updated local inventory of all storage locations of highly sensitive data, including paper, electronic backups, and individual-use electronic devices and media. The inventory should include specific room and/or file cabinet locations and be kept in a secure, locked location. HSD on paper media must be stored securely as outlined in the Records Management Policy.

    Comply with Information Security Risk Management Standard.

    Same as for sensitive data.

    No explicit requirement.

    In the event of a security incident, verify that it has been reported in accordance with the University’s Reporting an Information Security Incident standard, and provide staff and funding needed to:

    • determine risk of data exposure,
    • notify affected individuals that their personal information was exposed,
    • provide credit monitoring, and
    • operate a hot line for questions.

    All incident response efforts must be conducted in consultation with UVA Information Security.

    In the event of a security incident, verify that it has been reported in accordance with the University’s Reporting an Information Security Incident standard

     

    Same as for sensitive data.

    Same as for sensitive data.

    Individual departments are required to follow additional external data protection standards where applicable. Although the UPDS are based on best practices, compliance with the UDPS does not necessarily substitute for compliance with legal regulations and requirements such as, but not limited to:

    • HIPAA (Health Insurance Portability and Accountability Act),
    • HITECH (Health Information Technology for Economic and Clinical Health) Act,
    • FERPA (Family Educational Rights and Privacy Act),
    • GLBA (Gramm-Leach-Bliley Act, common title of the Financial Services Modernization Act (FSMA)),
    • PCI-DSS (Payment Card Industry Data Security Standard (PCI-DSS),
    • Requirements for Classified Data, and
    • various grant requirements.

    Same as for highly sensitive data.

    Same as for highly sensitive data.

    Same as for highly sensitive data.

    Faculty, Staff, Student Workers, Contractors, and Other Affiliates Granted Access to University Data

     

     

     

     

    Obtain department chair and VP/Dean (or designee) approval to store highly sensitive data on any individual-use electronic devices and media and meet all security requirements specified in the Highly Sensitive Data Protection Standard and  and the Highly Sensitive Data Protection Procedures

    Before seeking department chair and VP/Dean approvals, consultation with, and approval from UVA Information Security is required.  Email them at [email protected]

    No explicit requirement.

    No explicit requirement.

    No explicit requirement.

    Must ensure that University-owned workstations under their control are configured and administered in accordance with the Elevated Workstation Privileges Standard

    Same as for highly sensitive data.

    Same as for highly sensitive data.

    Same as for highly sensitive data.

    Must complete faculty or staff information security and privacy awareness training annually, including acceptance of the electronic access agreement. Training specifically for Medical Center employees is provided through NetLearning.

    Same as for highly sensitive data.

    Same as for highly sensitive data.

    Same as for highly sensitive data.

    IT Personnel (e.g. ITS technical staff, Local Support Partners [LSPs], and other staff with IT responsibilities)

     

    In addition to the responsibilities required of all staff, IT personnel are also responsible for

    Same as for highly sensitive data.

    Same as for highly sensitive data.

    Same as for highly sensitive data.

    Click the following links to jump to a section of the Data in Transmission table:

    a. Via Email and Email Attachments

    b. Other Messaging Services

    c. Via Fax

    d. Via Other Electronic Transmissions

    Data in Transmission

    Transmission Method

    Highly Sensitive Data

    Sensitive Data

    Internal Use Data

    Public Data

    Via Email and Email Attachments

     

    Not permitted, except with Health IT provisioned accounts 1) involving provider/patient communications conducted in accordance with guidelines posted on the Health System Privacy Office web site, or 2) by approved academic and administrative users in accordance with approved guidelines.

    Not recommended if the personal data (not explicitly defined as highly sensitive) of multiple individuals are involved, e.g. student names and grades for a class.

     

    No explicit requirement.

    No explicit requirement.

    Other Messaging Services (e.g. voicemail, texts, chat, Lync, Skype, FaceTime, Blackboard Collaborate)

     

    Not permitted unless written approval has been granted by UVA Information Security office and relevant UVA offices, such as Health IT information security office, and the IRB-HSR.

    Not recommended if the personal data (not explicitly defined as highly sensitive) of multiple individuals are involved, e.g. student names and grades for a class.

     

    No explicit requirement.

    No explicit requirement.

    Via Fax

    Not permitted unless

    1) receiving fax machine is in a restricted-access location, (1b) the intended recipient is clearly indicated, and (1c) that recipient has been alerted to the pending transmission and (1d) is available to pick it up immediately and (1e) promptly communicates secure reception; or
    2) utilizing an IS- or Health IT-approved secure server-based fax system.

    Same as for highly sensitive data if the personal data of multiple individuals are involved, e.g. student names and grades for a class. Otherwise, no explicit requirement.

     

    No explicit requirement.

    No explicit requirement.

    Via Other Electronic Transmissions

    (e.g. SecureFX, SecureFTP, S-HTTP, PGP. HTTPS)

     

    Transmission channel must be encrypted using industry standard encryption technologies. Source and destination devices must be appropriately secured and approved for storage of HSD.

    Same as for highly sensitive data if the personal data of multiple individuals are involved, e.g. student names and grades for a class. Otherwise, encryption recommended, but not required.

    Encryption recommended, but not required.

    No explicit requirement.

     
    Click the following links to jump to a section of the Data Storage and Destruction table:
     
     
     
     

    Data Storage and Destruction

    Storage Type

    Highly Sensitive Data

    Sensitive Data

    Internal Use Data

    Public Data

    Storage in General Purpose Electronic File and Workspaces (e.g. Home Directory, UVA Collab, Sharepoint, UVaBox, OneDrive, shared server drives)

    Not permitted, except on the shared drives designated for highly sensitive data that are managed by ITS or Health IT; access to such data must be restricted to only those individuals who require it in order to perform job duties and must be promptly revoked when an individual leaves the University or changes job function for which access is no longer essential.

    Contact [email protected] for specific guidance on University electronic file and workspaces explicitly designated for storage of highly sensitive data.

    Not permitted on storage external to the University (e.g. cloud vendors like DropBox, Google Drive, or third party hosts) unless properly approved and contracted as described under “Responsibility for Data.”  Furthermore, approved cloud vendors must be reviewed annually.  The review must follow the steps outlined in the external Vendor Security Review standard which includes a requirement that the business unit associated with the service or application request an external assessment from the vendor on an annual basis and provide the documentation to University Information Security for review.

    Not permitted unless access to data is granted to the least number of people possible and is promptly revoked when an individual leaves the University or changes job function for which access is no longer essential.

    Not permitted on storage external to the University (e.g. cloud vendors like DropBox, Google Drive, or any other third party hosts) unless 1) using a University-contracted service designated for this data classification (e.g. UVaBox, OneDrive) or, 2) third party host or service has been reviewed and approved as described under “Responsibility for Data.” If a service has been identified as mission critical, the business unit responsible for the service must follow the steps outlined in the external Vendor Security Review standard which includes a requirement that the business unit associated with the service or application request an external assessment from the vendor on an annual basis and provide the documentation to University Information Security for review.

    Not permitted on storage external to the University (e.g. cloud vendors like DropBox, Google Drive, or any other third party hosts) unless 1) using a University-contracted service designated for this data classification (e.g. UVaBox) or, 2) third party host or service has been reviewed and approved as described under “Responsibility for Data.” If a service has been identified as mission critical, the business unit responsible for the service must follow the steps outlined in the external Vendor Security Review standard which includes a requirement that the business unit associated with the service or application request an external assessment from the vendor on an annual basis and provide the documentation to University Information Security for review. 

    If a service has been identified as mission critical, the business unit responsible for the service must follow the steps outlined in the external Vendor Security Review standard which includes a requirement that the business unit associated with the service or application request an external assessment from the vendor on an annual basis and provide the documentation to University Information Security for review.

    Physical Media

    (e.g. printed material, completed forms, microfilm)

    Printing not permitted unless the printer is securely configured either 1) in a restricted-access location and someone authorized to see the information is available to pick up the printout immediately, or 2) with password-secured printout release.

    Same as for highly sensitive data if the personal data of multiple individuals are involved, e.g. student names and grades for a class.

    Otherwise, no explicit requirement.

     

    No explicit requirements.

    No explicit requirement.

    Follow the University Physical Records Storage Standards for HSD.

    Follow the University Physical Records Storage Standards for Sensitive Data

    Follow the University Physical Records Storage Standards requirements for Sensitive Data.

     

    Follow the University Physical Records Storage Standards.

     

    Destruction of Electronic Data and Physical Media

     

    Securely store and destroy in accordance with the University’s Electronic Data Removal Standards and Electronic Data Removal Procedures  and Records Management Policy.

    Same as for highly sensitive data.

    Same as for highly sensitive data.

    Follow the Records Management Policy.

     

     
    Click the following links to jump to a section of the Shared Devices table:

    a. Basic Security Configurations

    b. Server Access Permissions

    c. Recovery and Physical Security

    d. Other Server Requirements

    e. Scanning

    Shared Devices (E.G. Servers, Network Attached Storage, Disk Arrays)

    Control

    Highly Sensitive Data

    Sensitive Data

    Internal Use Data

    Public Data

    Basic Security Configuration

     

     

     

     

     

     

     

     

     

     

     

     

     

     

     

     

     

     

     

     

     

     

     

     

     

     

     

     

     

     

     

    Basic Security Configuration

     

    Operating system must be configured according to current best information security practices. Sources for such standards include the OS vendor, the Center for Internet Security, Security of Network Devices standard and others. Variances and exceptions must be documented and approved as required by the Security of Network Devices standard

    Policy-based hardening through a console-based configuration manager (e.g. Microsoft’s System Center Configuration Manager) is recommended.

    Same as for highly sensitive data.

    Same as for highly sensitive data.

    Same as for highly sensitive data.

    Only those versions of operating systems and network-aware applications actively supported by their vendors or open source community must be used. Variances and exceptions must be documented and approved as required by theSecurity of Network Devices standard

    Same as for highly sensitive data.

    Same as for highly sensitive data.

    Same as for highly sensitive data.

    Operating systems and network-aware applications must be patched to the most current security level provided by their vendors. Patches should be expediently tested and, if viable, promptly applied.

    Variances and exceptions must be documented and approved as required by the Security of Network Devices standard

    Same as for highly sensitive data.

    Same as for highly sensitive data.

    Same as for highly sensitive data.

    All network aware applications and services not essential to the server’s purpose or administration must be deactivated.

    For each server, the department must maintain a list of active applications and services, with a documented purpose for each.

    Same as for highly sensitive data

    Same as for highly sensitive data.

    Same as for highly sensitive data.

    Data files must be isolated (on separate servers) from all Internet-facing programs and services, e.g. Web and file transfer.

    Same as for highly sensitive data if the personal data of multiple individuals are involved, e.g. student names and grades for a class. Otherwise, no explicit requirement

    No explicit requirement.

    No explicit requirement.

    Remote Desktop Protocol (RDP) must be turned off on all devices except where the department has a documented business reason for using it, and the device resides behind a hardware firewall. If using RDP from off‑grounds, it must be tunneled through a UVA-supported VPN.

    Same as for highly sensitive data.

     

    Same as for highly sensitive data.

    Same as for highly sensitive data.

    Device must be located behind a hardware firewall configured by a highly skilled IT professional [scroll to appropriate career path description] and approved by the UVA Information Security office or the Health Information and Technology office as appropriate.

    Same as for highly sensitive data if the personal data of multiple individuals are involved, e.g. student names and grades for a class. Otherwise, device must have software firewall activated.  Location behind a hardware firewall (e.g. on the More Secure Network) is recommended.

     

    Device must have software firewall activated. Location behind hardware firewall (e.g. on the More Secure Network) is recommended.

     

    Device must have software firewall activated. Location behind hardware firewall is recommended.

     

    Server Access Permissions

     

     

     

     

     

     

     

     

     

     

     

     

     

     

     

     

     

     

     

     

     

     

     

     

     

     

     

     

     

     

     

     

     

     

     

     

     

     

     

     

     

     

     

     

     

     

     

     

     

    Server Access Permissions

     

    Granted to the fewest number of people possible. Access is promptly revoked (within one business day) when an individual leaves the University or changes job function for which access is no longer essential. Access lists must be systematically reviewed at least annually.

    Same as for highly sensitive data.

    Same as for highly sensitive data.

    Same as for highly sensitive data

    Administrator and user passwords meet or exceed recommended length and/or complexity levels.
    User passwords must never be shared with anyone.
    Administrator passwords must never be shared, with this one exception: passwords for administrator accounts that may need to be accessed in the absence of their normal administrator or in an emergency situation must be securely escrowed (i.e. using documented procedures for storage and retrieval, store passwords in a restricted-access location accessible by a member of the unit’s senior management).

    Same as for highly sensitive data.

    Same as for highly sensitive data.

    Same as for highly sensitive data.

    Except as noted below, two-factor authentication, e.g. UVA identity token and password, is required for all individuals granted access. The implementation method for two-factor authentication must meet standards approved by the UVA Information Security office.

    Exception: For access to shared devices managed by Health Information and Technology office, HIPAA-compliant authentication methods established by that department must be used.

    Two-factor authentication required for server administrators.

    Two-factor authentication is recommended but not required for all individuals for those accessing services and data on server if the personal data (not explicitly defined as HSD) of multiple individuals are involved, e.g. student names and grades for a class.

    Same as for sensitive data.

    Two-factor authentication required for server administrators.

    Security logging is enabled and reviewed frequently to detect and/or investigate potential information security breaches. Compliance must include use of automated alert tools.

    Security logging is enabled and reviewed frequently to detect and/or investigate potential information security breaches.  Recommended but not required to use automated alert tools.

    Same as for sensitive data.

    Same as for sensitive data.

    All accesses to data covered by HIPAA are logged according to those regulations.

    N/A

    N/A

    N/A

    Recovery and Physical Security

     

     

     

     

     

     

     

     

     

     

     

     

     

     

     

     

     

     

     

     

     

     

     

     

    Recovery and Physical Security

     

    Servers must be located in locked server racks in data centers managed by ITS or Health IT, or in a departmental machine room that is physically restricted, has a double-locked door, with card access and access logging.

    Same as for highly sensitive data if the personal data of multiple individuals are involved, e.g. student names and grades for a class. Otherwise, recommended but not required that servers be located in locked server racks in ITS or Health IT data centers if space is available.

    If located outside of a data center, the room must be physically restricted (locked when unattended).  Recommended, but not required to have a double-locked door, with card access and access logging.

    Backup media must be locked when unattended.

    The department administering the servers must provide appropriate physical security for these devices and backup media.  Consultation with UVA Information Security is recommended but not required.

     

    The department administering the servers must provide appropriate physical security for these devices and backup media.

     

    Regular server backups must be taken.  Frequency and duration of storage of backups will depend upon several factors, including, but not limited to, the business continuity and/or disaster recovery plan, University policy, contractual, regulatory, or other compliance requirement(s) that are associated with the data in question.

    Backup files must be kept in

    • ITS-managed or Health IT-managed secure backup storage locations,
    • a vendor provided storage service that has been reviewed and approved by the University Records Management Office (URMO), or UVA Information Security as appropriate
    • a departmental room that is physically restricted, with a double-locked door, with card access and access logging.

    Regular server backups must be taken.

     

    Recommended but not required that backup files be kept in

    If backup files are kept in a departmental room, it must be physically restricted (locked when unattended.  Recommended but not required is the room to have a double-locked door, with card access and access logging.

     

    Same as for sensitive data.

    No explicit requirement.

    Other Server Requirements

     

     

    Other Server Requirements

    Network registration information, such as contact information, is kept up to date.

    Same as for highly sensitive data.

     

    Same as for highly sensitive data.

     

    Same as for highly sensitive data.

     

    Security concerns related to server-hosted applications will be identified and resolved on an individual basis by the department in consultation with the UVA Information Security (InfoSec) and ITS. Health IT will be involved in the consultation if appropriate.

    Same as for highly sensitive data.

     

    Security concerns related to server-hosted applications will be identified and resolved on an individual basis by the department – if desired, in consultation with the UVa InfoSec, ITS, and if appropriate, Health IT.

    Same as for internal use data.

    Additional security safeguards may be required depending upon the specific applications and services provided by the servers.

    Same as for highly sensitive data.

    Same as for highly sensitive data.

    Same as for highly sensitive data.

    SCANNING

    Servers, connecting devices, and web applications are periodically tested with a standard set of information security assessment tools, including

    Web application vulnerability scans (e.g., WebAppScan) must be performed and remediated before any web application is released into production, when the application is modified, and at least bi-monthly thereafter.

    Same as for highly sensitive data, except scanning periodicity is quarterly.

    Same as for highly sensitive data, except scanning periodicity is quarterly.

    Same as for highly sensitive data, except scanning periodicity is quarterly.

     
    Click the following links to jump to a section of the Individual Use Electronic Devices table:
     
     
     
     
     

    Individual-Use Electronic Devices

    (E.G. Desktop Computers, Laptops, Tablets, Smart Phones, Mobile Devices)

    Control

    Highly Sensitive Data

    Sensitive Data

    Internal Use Data

    Public Data

    Security Configuration Requirements

     

     

     

     

     

     

     

     

     

     

     

     

     

     

     

    Basic Security Configuration

     

     

     

     

     

    To store highly sensitive data on individual-use electronic devices and media, users MUST:

    1. Obtain approval from:

    1. UVA Information Security office
    2. Departmental chair or designee
    3. VP or Dean (or designee) responsible for the department.

    2) meet all requirements, including encryption, specified in the University’s Highly Sensitive Data Protection Standard.

    Must meet requirements for securing electronic devices in accordance with the University’s Security of Network-Connected Devices Standard.

     

    Same as for sensitive data.

    Same as for sensitive data.

    University-owned individual workstations must be configured and administered in accordance with the Elevated Workstation Privileges Standard

    Same as for highly sensitive data.

    Same as for highly sensitive data.

    Same as for highly sensitive data.

    Any individual-use device, whether individually or University-owned or managed, must be configured and administered in accordance with Security of Network-Connected Devices Standard.

    Same as for highly sensitive data.

    Same as for highly sensitive data.

    Same as for highly sensitive data.

    Scanning

    Identity Finder (or equivalent) highly sensitive data scans must be performed and all unapproved storage remediated at least quarterly, as detailed in Highly Sensitive Data Protection Standard and the Procedures on the Use of Data Loss Prevent (DLP) Tools

    Devices capable of running antivirus or antimalware must have at least one of these installed and configured to protect the device. 

    • For antivirus it must be configured to run full scans of the device at least weekly and obtain the latest definitions as they become available from the vendor.
    • For antimalware, it must be configured to run realtime scans and obtain the latest updates as they become available from the vendor.

    Networked-device vulnerability scans (e.g., Nessus) must be performed and remediated at least quarterly.

    Identity Finder (or equivalent) highly sensitive data scans must be performed and remediated at least quarterly (as detailed in Highly Sensitive Data Protection Standard and the Procedures on the Use of Data Loss Prevent (DLP) Tools.

    Devices capable of running antivirus or antimalware must have at least one of these installed and configured to protect the device. 

    • For antivirus it must be configured to run full scans of the device at least weekly and obtain the latest definitions as they become available from the vendor.
    • For antimalware, it must be configured to run realtime scans and obtain the latest updates as they become available from the vendor.

    Networked-device vulnerability scans (e.g., Nessus) must be performed and remediated at least twice a year.

    Same as for sensitive data.

     

    Same as for sensitive data.

    Server Connections

    Must connect to UVA servers only using two-factor authentication and:

    • through approved secure on-Grounds networks (More Secure Network, Secure Clinical Subnet, or jefferson wireless),
    • from home using UVA’s Joint VPN or High Security VPN, and a home network that employs a properly configured home firewall/router, or
    • when traveling using UVA’s Joint VPN or High Security VPN.

    Must clean out browser cache daily, either by browser configuration or cleaning application.

    Same as for highly sensitive data, except:

    • must use one of the  UVA supported VPNs,
    • daily cache cleaning recommended, but not required.

    Same connection methods as for sensitive data are recommended, but not required.

    Same as for internal use data.

    Other Individual-Use Device Requirements

     

    Network registration information, such as contact information, is kept up to date.

    Same as for highly sensitive data.

    Same as for highly sensitive data.

    Same as for highly sensitive data.

     
    Click the following links to jump to a section of the Assessing and Managing Risk table:
     
     
     

    Assessing And Managing Risk

    Area

    Highly Sensitive Data

    Sensitive Data

    Internal Use Data

    Public Data

    Risk Management

    Same as for highly sensitive data.The department must complete an IT security risk assessment, including updating the department’s mission continuity and disaster recovery plan, annually  and when the computing environment changes significantly, in accordance with the University’s Information Security of University Technology Resources (IRM-004) policy.

     

    Same as for highly sensitive data.Same as for sensitive data.

    Same as for highly sensitive data.Same as for sensitive data.

    Security architecture (systems, applications, authentication, etc.) discussions with ITS and the University Information Security office, including Health Information Technology if appropriate, will be held as part of the annual risk management update, or sooner if there is a significant change to the computing environment.

    Security architecture discussions held as needed.

    Same as for sensitive data.

    Same as for sensitive data.

    Auditing

    The University’s Audit Department periodically audits the department’s computing environment.

    Less frequent audits necessary.

     

    Less frequent audits necessary.

     

    Less frequent audits necessary.

     

    3.  Definitions

    See the list of definitions for the Acceptable Use, Data Protection, Information Security, and Privacy & Confidentiality policies.

    [Table of Contents]

    4.  Related Links

    [Table of Contents]

    5.  Exceptions

    If you think you need to request an exception to these requirements, please refer to the Exceptions Process.

    [Table of Contents]

     

    Report an Information
    Security Incident

    Please report any level of incident, no matter how small. The Information
    Security office will evaluate the report and provide a full investigation if appropriate.

    Complete Report Form