F. Reporting Requirements

This document describes what must be reported to the Office of Information Technolgy in compliance with University Policy.

As explained in I. Executive Support and Policy Statement, the ITS-RM program is not yet fully formalized. A University policy, however, requiring all departments to participate in the program is proceeding through the official policy adoption process, and issuance is expected during Fall 2004. The program will apply to Agencies 207 (Academic Division), 209 (Medical Center) and 246 (College at Wise). All departments will complete their first iteration of the process by July 1, 2007, with department heads (or higher) responsible for approving the submitted reports.

  1. A copy of all ITS-RM working papers and final forms should be kept in the department, and a copy should be placed in secured off-site storage; e.g., along with your backups, for retrieval in the event local access is impossible.
  2. Upon the completion of all the forms, indicated below, and approval of them by the department head, and the appropriate dean or vice president if he/she has decided this additional step is important, a copy (templates are available in a compact reporting format in Microsoft Word format and PDF format) should be sent by e-mail to: Shirley Payne

or by messenger mail to:

Office of Information Technologies (OIT)
Security and Policy Coordination
ITC-Cresap, P.O. Box 400217

  • Mission Impact Analysis Questions
  • Risk Assessment Questions and Threat/Response Scenarios
  • Security Plan IT Mission Continuity Questions and
  • Plan Evaluation and Reassessment Questions (if appropriate)

OIT will file a copy of each department’s mission continuity plan with the University Disaster Recovery Coordinator, UVa Police Department. Documentation from departments hosting HIPAA-protected data will be shared with the HSCS Security Office. These documents will be used to identify new services required, and areas where central assistance is needed. Moreover, they assist the University in doing its own assessment of its overall IT security risks. They also need to be stored in a protected central location for University access in emergency situations. These documents will be kept in strictest confidence and will be used only in emergencies and to gauge an aggregate view of the University IT security environment.

This reporting process will be repeated with each subsequent evaluation and reassessment.

© 2009 by the Rector and Visitors of the University of Virginia.

The information contained on the University of Virginia’s Department of Information Technology and Communication (ITC) website is provided as a public service with the understanding that ITC makes no representations or warranties, either expressed or implied, concerning the accuracy, completeness, reliability or suitability of the information, including warrantees of title, non-infringement of copyright or patent rights of others. These pages are expected to represent the University of Virginia community and the State of Virginia in a professional manner in accordance with the University of Virginia’s Computing Policies.