Request an Exception to Information Security Standards

The intent of the Exception process is for units to comply with the University Information Security policy by:

  • proactively identifying technology or processes that do not meet University information security standards and
  • requesting University Information Security (UIS) assistance in reviewing compensating controls to secure the data or systems while working towards complying with the standard(s).

Some examples of exceptions are:

  • (in-house or vendor-supported) software running on old operating systems
  • IT vendors or services with limited documentation of security controls
  • processes involving users or administrators sharing accounts.

If units are aware of multiple individual or stand-alone systems that do not meet specific University information security standards, these can be combined into a single, unit-level exception request.

This Exception process applies to all UMN information security assets whether managed by OIT services, units or vendors. It is distinct from any exceptions procedures for devices managed by OIT Device Support or HST.

Process

The exception process typically involves the Subject Matter Expert, unit IT Director, or IT Service Owner, and Administrative or Academic Senior Leadership.

  1. The IT Director or IT Service Owner submits an Exception Request form to identify the Data Security ClassificationSecurity Level and business need for the IT asset involved and the required control.
  2. University Information Security (UIS) works with unit or service participants and other stakeholders as needed (e.g. data owners or compliance officers) to identify and document compensating controls.
  3. UIS assigns a risk level to the exception.
  4. The unit or service leadership accepts the risk of the exception for up to 12 months by signing the exception document.
  5. The unit or service implements the compensating controls or continues to work to comply with the information security control during the planned timeframe, e.g., requesting enhancements from a vendor, or reviewing vendor documentation.  
  6. If unable to meet the control at the time of expiration, the unit or service is responsible for submitting an Exception Request form (linked in step 1) to identify any relevant changes to technology, policy, or security threats. UIS will review the continuing request in light of the most current security profile for the environment.