Policy Exception

Overview

All information technology resources connected to the university network are expected to comply with information technology policies and standards which are designed to protect the university's data. These resources include, but are not limited to, computers, mobile devices and user accounts. There may be a case where it is not possible for a resource to comply with the policies and standards. For these situations, a policy exception must be documented and approved.

 

Exception Criteria

A policy exception may be issued in any of the following scenarios:

Scenario Description
Business Critical Compliance would impact critical processes or otherwise prevent the university from completing its mission
Alternate Control An alternative solution provides the equivalent or better protection
Legacy System The system is being retired and compliance is not possible, or would be too expensive for the short time the exception is needed
Financial Barrier The financial cost of compliance outweighs the risk introduced by non-compliance

Requests for an exception must document:

  • The highest data classification handled by the affected resource, and the specific data elements which may be affected, if any
  • The specific deviation from the standard or policy which is required
  • The expected time frame that the exception is required
  • How any risks of non-compliance can be mitigated
  • Any additional information which may be helpful and justify the exception
  • The name of the resource (i.e. computer hostname, user name, application, etc.) for which the exception would apply

 

Exception Review and Renewal

Requests for an exception are reviewed on a case-by-case basis and approved exceptions must be reviewed at least annually. Renewals of exceptions are not granted automatically.

See the following links for more information:

 

Use this service

  • If you believe that an exception is required for a technology resource that you use
  • If you are unsure if you need an exception
  • To request a renewal of a previously approved exception

 

 

 
Request Service

Related Articles (1)

Overview, FAQ, and change log of the data security standards