Policy Exception Process

Information security considerations such as regulatory, compliance, confidentiality, integrity and availability requirements are most easily met when university constituents employ centrally supported or recommended standards. The University understands that centrally supported or recommended technologies are not always feasible for a specific school, division or other university sub-division. Deviation from centrally supported or recommended technologies is discouraged.  However, it may be considered provided that the alternative presents a reasonable, justifiable business and/or research case for an information security policy exception; resources are sufficient to properly implement and maintain the alternative technology; the process outlined in this and other related documents is followed and other university policies and standards are upheld.

ISO PS004

Information Security Policy Exception Management Process

  1. Policy Exception –Initial Request Form Complete and submit the online Initial Request form.
  2. Policy Exception Request Template (Word Doc)
  3. Compliance Risk Acceptance Form (PDF) - Part of the information security policy exception management process used to document any significant exception considered by the Review Committee. The form is designed to present the potential risk to the responsible department head, vice president and/or dean for their risk acceptance.