How-to

Request an Exception to Information Security Standards

The intent of the Exception process is for units to comply with the University Information Security policy by:

  • proactively identifying technology or processes that do not meet University information security standards and
  • requesting University Information Security (UIS) assistance in reviewing evaluating compensating controls to secure the data or systems while working towards complying with the standard(s).

Some examples of exceptions are:

  • (in-house or vendor-supported) software running on old operating systems
  • IT vendors or services with limited documentation of security controls
  • processes involving users or administrators sharing accounts.

If units are aware of multiple individual or stand-alone systems that do not meet specific University information security standards, these can be combined into a single, unit-level exception request.

Process

The exception process typically involves the Subject Matter Expert, unit IT Director, or IT Service Owner, and Administrative or Academic Senior Leadership.

  1. The IT Director or IT Service Owner submits an on-line Exception Request form to identify the Data Security Classification and Security Level of the IT asset involved and the required control.
  2. University Information Security (UIS) works with unit or service participants  and other stakeholders as needed (e.g. data owners or compliance officers) to identify and document compensating controls.
  3. UIS assigns a risk level to the exception.
  4. The unit or service leadership accepts the risk of the exception for up to 12 months by signing the exception document.
  5. The unit or service implements the compensating controls or continues to work to comply with the information security control during the planned timeframe, e.g., requesting enhancements from a vendor, or reviewing vendor documentation.  
  6. If unable to meet the control at the time of expiration, the unit or service is responsible for submitting a new on-line Exception Request form including relevant changes to the technology, policy, or security threats. UIS will review the continuing request in light of the most current security profile for the environment.