Exceptions to Information Security Policies and Standards
Quick link: Exception Request form.
University Information Security (UIS) maintains the University Information Security Policy and Information Security standards, and administers the Exception process for situations involving IT assets that cannot comply with the requirement controls in the standards.
The purpose of Exceptions to the security standards is to identify and elevate issues and assist in prioritizing resources based on risk.
- University faculty or staff work with their IT Director, IT Service Director, or Department Head, to identify situations that are not in compliance with University Information Security Policies or Standards.
- If a compliant technical solution or business process is not feasible, the IT Director (or equivalent) requests an exception using the on-line Exception Request form, which includes identifying the Data Security Classification and Security Level of the IT asset.
- UIS evaluates the request and works with the requester to identify mitigating controls. Initial review of Exception requests may take 2 weeks.
- If approved, exceptions are valid for up to 12 months. When an exception expires, the IT Director (or equivalent) must request a new exception.
Frequently Asked Questions
What types of situation qualify as information security exceptions?
Request an exception if a system does not comply with a control that is required in the information security standards (which typically involve Private data or IT resources with Medium or High Security Levels).
Who is involved in the exception process?
Depending on the situation, the following may be involved in the process:
- Data Owner
- Dean/IT Director/IT Service Director
- Subject Matter Experts, e.g. system users
- UIS Risk Analysts
- Privacy Officers.
Is there a limit on the length of time for an exception?
Each exception has it's own expiration date. The maximum exception period is 12 months.
What types of questions are asked in the review process?
Each case is different. Here are questions that may be relevant:
- What is the business reason for not complying with the information security policy or standard?
- What is the information life cycle of the process, including backup and destruction of University data?
- How will the process be hosted?
- If a vendor is involved, what security controls does the vendor attest to?
- What anti-malware is used?
- What risk mitigation strategies are being considered?
Resources & Links
- IT Policies in U-wide Policy Library
- Information Security Standards
- diagrams illustrating the exception process: