Overview
All information technology resources connected to the university network are expected to comply with information technology policies and standards which are designed to protect the university's data. These resources include, but are not limited to, computers, mobile devices and user accounts. There may be a case where it is not possible for a resource to comply with the policies and standards. For these situations, a policy exception must be documented and approved.
A policy exception may be issued in any of the following scenarios:
Scenario |
Description |
Business Critical |
Compliance would impact critical processes or otherwise prevent the university from completing its mission |
Alternate Control |
An alternative solution provides the equivalent or better protection |
Legacy System |
The system is being retired and compliance is not possible, or would be too expensive for the short time the exception is needed |
Financial Barrier |
The financial cost of compliance outweighs the risk introduced by non-compliance |
Requests for an exception must document:
- The highest data classification handled by the affected resource, and the specific data elements which may be affected, if any
- The specific deviation from the standard or policy which is required
- The expected time frame that the exception is required
- How any risks of non-compliance can be mitigated
- Any additional information which may be helpful and justify the exception
- The name of the resource (i.e. computer hostname, user name, application, etc.) for which the exception would apply
Requests for an exception are reviewed on a case-by-case basis and approved exceptions must be reviewed at least annually. Renewals of exceptions are not granted automatically.
See the following links for more information:
- If you believe that an exception is required for a technology resource that you use
- If you are unsure if you need an exception
- To request a renewal of a previously approved exception