Request an Exception to Information Security Standards

If a required control in the information security standards in the Information Security Policy is not met, then a unit or service requests an exception. When an exception expires, if the required control is still not met, the unit or service needs to request a new exception.

The exception process typically involves the Subject Matter Expert, unit IT Director, or IT Service Owner, and Administrative or Academic Senior Leadership. 


  1. Submit an on-line Exception Request form to identify the Data Security Classification and Security Level of the IT asset involved and the required control. Typically, the request is made by the IT Director or IT Service Owner.
  2. University Information Security (UIS) works with unit or service participants to identify and document mitigating controls, other stakeholders as needed (e.g. data owners or compliance officers).
  3. UIS assigns a risk level to the exception.
  4. Unit leadership accepts the risk of the exception for up to 12 months by signing the exception document.