Pol-Policy Exception Management Process

policy exception management process modified Wed Oct 12 2022 14:12:33 GMT-0400 (Eastern Daylight Time)

UofL Logo

University of Louisville

OFFICIAL
UNIVERSITY
ADMINISTRATIVE
POLICY

POLICY NAME

Policy Exception Management Process

EFFECTIVE DATE

July 23, 2007

POLICY NUMBER

ISO-004 v2.0

POLICY APPLICABILITY

This policy applies to all University workforce, faculty and student members (including, but not limited to: faculty, staff, students, temps, trainees, volunteers, and other persons as deemed appropriate) while conducting/performing work, teaching, research or study activity using University resources and includes all facilities, property, data and equipment owned, leased and/or maintained by the University or affiliates

REASON FOR POLICY

The purpose of this policy is to allow university entities the ability to do what is needed to further their area's mission while, at the same time, have reasonable assurance that solutions adopted are in compliance with applicable laws, regulations and university requirements.

POLICY STATEMENT

Information security considerations such as regulatory, compliance, confidentiality, integrity and availability requirements are most easily met when university constituents employ centrally supported or recommended standards. The University understands that centrally supported or recommended technologies are not always feasible for a specific school, division or other university sub-division. Deviation from centrally supported or recommended technologies is discouraged. However, an information security policy exception may be considered where a justifiable business and/or research purpose exists and where resources are sufficient to properly implement and maintain alternative technology or processes that meet or exceed existing university policies and standards. All policy exceptions must follow the process outlined within this policy.

STANDARDS

Administrative Standards:

The school, department or other entity unable to comply with a policy or standard must file a security exception. Except for minor approved exception requests, the requester will be guided through an assessment methodology that clarifies direct and indirect costs associated with the alternative process or technology; including technical, physical and administrative requirements consistent with laws, regulations, university policy, risk being assumed and the regulatory climate at large by using the "Policy Exception Request Template" (see below).

1. Preliminary:

  • Prior to completion of the Policy Exception Management Template an initial request should be sent via the online Policy Exception-Initial Request Form. Once received, the information will be reviewed and the submitter will be notified of the next step.
     
    Note: Minor exceptions due to isolated circumstances may be able to be adequately accounted for by this form and the more extensive Policy Exception Request Template will not be required.


2. If instructed to do so, the Policy Exception Request Template must be fully completed, including:

  • Approval signature of appropriate level of university management for the level of potential risk being assumed (this may be a Department Chair, a Director, Dean, Vice President, the Provost or the President).
  • Business and/or research case section which contains:
  • Description of exception including policy number - technology, process or standard and its application.
  • Information on why supported or recommended technology or standard does not meet requirements including ITS discussion.
  • Suggestions on what a viable control or central ITS supported solution would look like.
  • Implementation and maintenance costs including both initial and on-going costs for required licenses, hardware, software, infrastructure, training and procedural documentation, administrative and support personnel, temporary consultants, disaster recovery, backup, business continuity, and identified funding to support the technology during the technology's projected life cycle.
  • Data Sensitivity Assessment:
    • Data definition.
    • Expected users of the data (faculty, staff, research, students, clinical, etc.).
    • Data access restriction requirements due to laws/regulations (HIPAA, FERPA, PCI, NIH requirements, other laws or regulations, etc.), general privacy or proprietary/intellectual property concerns, university policy and/or prudent practice (this may be completed in conjunction with the Information Security Office).
    • Security methodology for managing this data and access to include logical security via the operating system, database, application and other means, as applicable, as well as physical security of hardware and other related infrastructure.
  • Implementation Plan
    • Project implementation plan and resources, timeline devoted to implementation.
  • Maintenance Plan
    • Plan and resources devoted to on-going maintenance, administration, user training and contingencies.

Note: The Policy Exception Request Template can be found in the Policy Exception Process web page.


3. Documentation is submitted to the Review Committee

  • Committee includes representation from the Information Security Office (ISO) and Information Technology Services (ITS) as well as, in an advisory capacity, Audit Services.  Note: The committee may seek additional business and/or research advisory expertise.
  • Risk Acceptance Document
    • The committee will complete a Risk Acceptance Form for the responsible entity. This document will identify the risks being assumed by the entity. This form will also document, based on the committee's assessment of the entity's documentation (as described above) if the proposal is approved for implementation.
    • The Risk Acceptance Form must be accepted, approved and signed-off by the appropriate Dean or Vice President. This approval documents that the entity management is aware of the risks inherent in the project and system, accepts them and will use entity resources to maintain the system and mitigate any risk events that may arise. Note: Depending on the scope and impact of the project, approval of the Provost and/or the President of the University may be required.
       Note: For reference, the Risk Acceptance Form can be found in the ISO web site.
  • Barring exceptional circumstances and given a proposal that is thorough and complete, the review committee will review and assess the proposal within 30 days of receipt.
  • If approved, entity proceeds with implementation. Subject Matter Expert (SME) from ITS will monitor implementation for adherence to plan or appropriate changes. If implementation proceeds as planned, technology or process is allowed to go into production.
     Note: The SME is not the project manager.
  • If request for exception is denied or implementation cannot proceed according to plan; entity can correct any deficiencies or seek alternative solutions.


4. Future review or audit

  • Audit Services, Information Security, Institutional Compliance, ITS or University Management may review technology for continued adherence to plan, security, etc.
RESPONSIBILITIES

Policy Authority/Enforcement: The University's Information Security Officer (ISO) is responsible for the development, publication, modification and oversight of these policies and standards. The ISO works in conjunction with University Leadership, Information Technology, Audit Services and others for development, monitoring and enforcement of these policies and standards.

Policy Compliance: Failure to comply with these policies and standards and/or any related information security and/or information technology policy, standard or procedure may result in disciplinary action up to and including termination of employment, services or relationship with the University and/or action in accordance with local ordinances, state or federal laws.

ADMINISTRATIVE AUTHORITY

Vice President for Risk, Audit, and Compliance

RESPONSIBLE UNIVERSITY DEPARTMENT/DIVISION

Information Security Compliance Office

502-852-6692

isopol@louisville.edu

HISTORY

This policy is subject to change or termination by the University at any time. This policy SUPERSEDES all prior policies, procedures or advisories pertaining to the same subject.
 
This policy will be reviewed annually to determine if the policy addresses University risk exposure and complies with the applicable security regulations and University direction. In the event that significant regulatory changes occur, this policy will be reviewed and updated as needed per the Policy Management process.
 
Approved July 23, 2007 by the Compliance Oversight Council
Shirley C Willihnganz, Executive Vice President and University Provost, Chair of the Compliance Oversight Council
 
Revision Date(s):

1.0 / July 23, 2007 / Original Publication

1.1 / January 29, 2013 / Content Update

2.0 / March 8, 2016 / Review/update content and update to template format

2.0 / June 23, 2022 / Minor edit

Reviewed Date(s):  September 29, 2014; March 8, 2016; June 12, 2017; May 18, 2018; September 16, 2021; June 23, 2022

The University Policy and Procedure Library is updated regularly. In order to ensure a printed copy of this document is current, please access it online at http://louisville.edu/policies.