Overview
All information technology resources connected to the university network are expected to comply with information technology policies and standards which are designed to protect the university's data. These resources include, but are not limited to, computers, mobile devices and user accounts. There may be a case where it is not possible for a resource to comply with the policies and standards. For these situations, a policy exception must be documented and approved.
Policy Exception
Policy exceptions, includes exceptions to APM 30.11 University Data Classification and Standards which applies to all IT Security Standards. Policy exceptions can be requested by anyone expecting to fall outside of existing policy and standards requirements or upon suggestion when a gap in compliance with the policy and standards is found. A policy exception may be issued in any of the following scenarios:
| Scenario |
Description |
| Business Critical |
Compliance would impact critical processes or otherwise prevent the university from completing its mission |
| Alternate Control |
An alternative solution provides the equivalent or better protection |
| Legacy System |
The system is being retired and compliance is not possible, or would be too expensive for the short time the exception is needed |
| Financial Barrier |
The financial cost of compliance outweighs the risk introduced by non-compliance |
Policy Review
Policy and standards reviews can be requested by anyone who is wanting OIT Security to audit or verify that technology is being used appropriately for UI standards, specific requirements such as research requirements like NSPM-33 or CMMC, or any other relevant compliance framework such as PCI, HIPAA, or FERPA.
Security Consultation
This service is to request assistance with securing a system or environment. Requests for Research Cyber Support are through this service. Other requests to implement security frameworks or general best practices may also use this service.
TLS Certificates
OIT provides for the acquisition of certificates through the InCommon Certificate Service at no additional charge to university departments. Certificates are available for any domain under the control of the university.
Certificate uses include:
- Transport Layer Security (TLS) for encrypting traffic for https or other protocols (also known as SSL)
- S/MIME certificates for individuals (email signing and encryption)
- Code Signing certificates
To request any of the following:
- New certificates
- Renew certificates
- Revoke certificates
- Add domain to certificate manager
- Questions about installation, ciphers, protocols, and minimum requirements
- Testing of certificate and protocol configurations
When appropriate, attach, or put into the body of the message, the Certificate Signing Request (CSR) for the needed certificate.
Policy Feedback
Policy and standards require regular updates and continual improvement. If any gaps, inaccuracies, syntax issues, or other confusing elements that require clarification, this service can be used by anyone looking to provide feedback on IT policy and standards.
APM chapter 30: Information Technology Services
IT Standards
More information of Data Security Standards