Skip to Content

Security and Data Protection Policies

Contact it-policy@virginia.edu for clarification or to report violations, unless otherwise indicated.

Policy or Topic Description Contact or Additional Information
Administrative Data Access Rules for access to administrative data, including definitions explaining what it is and the rules for using it. Employees who access University administrative data must use it according to the rules or risk disciplinary consequences.
Electronic Data Removal Explains rules and processes for removing data from electronic storage media being surplused, transferred or returned. University policy IRM-004.
Electronic Storage of Highly Sensitive Data Strictly limits the circumstances under which highly sensitive data may be stored on individual-use devices and media. It further mandates that strict security requirements be met when highly sensitive data must unavoidably be stored on individual-use electronic devices or electronic media.
IT Security Incident Reporting Establishes the requirement to report information technology security incidents to appropriate University officials so proper and timely response procedures can be initiated. University policy IRM-012.
IT Security Risk Management Explains the IT Security Risk Management Program, which itself explains existing risks and strategies for reducing or eliminating those risks. University policy IRM-003.
IT Security Program States the codes of practice with which the University aligns its information technology security program to safeguard the institution's computing assets in the face of growing security threats. This significant challenge requires a strong, persistent and coordinated program that leverages widely accepted, effective security practices appropriate for the higher education environment. University policy IRM-011.
Network Access for Third Parties Explains the conditions under which third parties (e.g., vendors, consultants) are allowed direct access to the University network.
  • ITS, Senior Director, Enterprise Infrastructure (information)
Records Management Explains records management requirements, including records retention and disposal.
Security of Networked Devices Explains all users' responsibilities for maintaining the security of their devices on the University network.
Social Security Numbers

Explains the proper protection and use of Social Security numbers (SSNs). University policy IRM-014.