People/Web Search Calendar Emergency Info A-Z Index UVA Email University of Virginia

Skip to Content

Information Security at UVa

Find out about practices, policies, and other aspects of security relevant to your role(s) at UVa:

Heartbleed Vulnerability

What is it?

Heartbleed is a serious security vulnerability that has been identified as affecting a large number of web sites across the Internet. It potentially allows encrypted information, including passwords used on the affected sites, to be intercepted.

Why should I care?

Depending on whether a site you used was vulnerable, you may need to change your password. However, you need to be sure the site has been patched before you change your password. Putting a new password on an unpatched site just exposes the new password.

Where can I learn more?

At UVa many servers, including SIS and HR/Finance (Integrated System), were never vulnerable. For more information on Heartbleed and ITS managed servers, see <>. For servers maintained outside of ITS, you'll need to contact the appropriate departmental system administrator for status updates.

A helpful Washington Post article goes into additional detail on the nature and scope of the problem.

This article on CNET references the current status ("Was not vulnerable," "Vulnerability patched. Password change recommended," "Awaiting Response," etc.) of the most popular web sites, like Google, Facebook, etc. For sites not listed, you will need to visit the individual web site directly for status information.

This more technical article from US-CERT provides advice for system administrators and links to company statements regarding the status of their services.

Questions regarding ITS servers should be directed to the UVa Help Desk at 4-HELP (434-924-4357) or More general questions should be directed to

University Data Protection Standards

The University's outline requirements for handling and protecting all the University's institutional data, whether the information is highly sensitive, moderately sensitive, or not sensitive. For a downloadable copy of the current version of the standards (PDF format) visit the Data Protection website. Version 2.0, released Dec. 20, 2013, introduces substantial changes.

Suspicious Email Alerts Website

Want to know if that weird email message you received is a scam or spam? The Suspicious Email Alerts Page will help you check to see if what you've received is similar to other suspicious or fraudulent emails, phishing scams, or schemes to commit identity theft that are currently circulating at UVa. To make it even easier, subscribe to these security alerts and warnings via an RSS feed.

Remember, if you receive an email with text similar to these messages, DO NOT respond—delete it immediately! Do not click any links in the email, and do not “unsubscribe” or acknowledge the email in any way. If you receive an email that appears “phishy” and are unsure if it's legitimate, and it is not listed, please report it to us; forward it to our email abuse team.

Highly Sensitive Data Protection Policy

The University's highly sensitive data policy, strictly limiting the circumstances under which sensitive data may be stored on individual-use electronic devices and media, and mandating that strict security requirements be met when such storage is unavoidable. It is the responsibility of individuals to determine if they have highly sensitive data on their device(s) and media and, if so, to ensure compliance with this policy.