Information Security Policy Exception Management Process

  1. Policy/Compliance Exception –Initial Request Form Complete and submit the online Initial Request form.


3rd Party Vendor Security Assessment Process - To learn more about the vendor assessment process click here.

  1. Vendor Services and Data Form - TO BE COMPLETED BY THE REQUESTING UNIVERSITY SCHOOL/DEPARTMENT  - Complete and submit the online form as the initial step in the vendor assessment process. This form will be used as part of the university procurement process and should be completed by any area utilizing a third party that will have access to university data. This is an internal form and should not be submitted by the third party.
  2. Vendor Security Assessment – Information provided in the Vendor Services and Data form will be reviewed by the ISO to determine if a vendor security assessment is required. If a review of the vendor's data security controls is required, the ISO will provide the department with a Vendor Control Questionnaire to be completed by both the unit and the vendor. The completed questionnaire must be reviewed by the ISO prior to the purchase of services/products or the finalization of a contract.
  3. Vendor Control Questionnaire - The Vendor questionnaire should be completed by vendor's storing sensitive data. It addresses a wide range of services and regulations and therefore not all questions may apply.  The vendor may submit a completed HECVAT in place of the questionnaire if they prefer.