IT/Information Security Exception Request Process
Brief Description:
Provides a method for documenting an exception to compliance with established information technology and information security policies, standards, and practices
Related Policy:
- Cal Poly Information Security Program (ISP)
- Cal Poly Information Technology Responsible Use Policy
- CSU Information Security Policy
Introduction:
All information technology resources connected to the university network are expected to comply with campus information technology security policies and standards which are designed to establish the controls necessary to protect university information assets.
A control deficiency in one business process or IT resource can jeopardize other processes or resources because erroneous data may be inherited, privacy can be compromised or because a conduit for an intrusion into Cal Poly systems may be created. However, there may be a case where compliance cannot be achieved for a variety of reasons.
In such cases, an exception must be documented and approved using this process.
Scope:
This process applies to all published IT and information security policies, standards and practices and to all Cal Poly users. Individuals, technical support staff and managers responsible for implementing security policies and standards must use this process to request an exception.
Standard:
An exception to a published IT/information security policy, standard or practice may be granted in any of the following situations:
- Temporary exception, where immediate compliance would disrupt critical operations
- Another acceptable solution with equivalent protection is available
- A superior solution is available
- A legacy system is being retired and compliance is not possible (risk must be managed)
- Long-term exception, where compliance would adversely impact university business
- Compliance would cause a major adverse financial impact that would not be offset by the reduced risk occasioned by compliance (i.e., the cost to comply offsets the risk of non-compliance)
The exception request must document:
- The specific policy/standard for which an exception is being requested
- The specific device, application or service for which the exception is being requested
- Data classification category of associated device, application or service
- The type of data that will be affected, either directly or indirectly, by the exception
- The nature of the non-compliance, i.e., specific deviation from the policy/standard
- Why an exception is required, e.g., what business need or situation exists, what alternatives were considered, and why are they not appropriate
- Assessment of the potential risk posed by non-compliance, i.e., if the exception is granted
- Plan for managing or mitigating those risks, e.g. compensating controls, alternative approaches
- Anticipated length of non-compliance
- Additional information as needed, including any specific conditions or requirements for approval
All requests for exception must be signed by the person responsible for implementing the standards or controls. If the requester is not that person, then the responsible technical support staff must co-sign.
All requests for exception must be reviewed and approved by the university manager with authority for the resource for which the exception is being requested, and the information security coordinator for their area. (If the information security coordinator is the requester, then the appropriate dean or vice president or their designee should approve on their behalf.)
Requests for exceptions are reviewed for validity and are not automatically approved. Requests for exception that create significant risk to the university without compensating controls will not be approved. Requests for exception must be periodically reviewed to ensure that assumptions or business conditions have not changed. Renewals are not automatically approved.
Once a particular type of exception has been granted, future requests of the same type will receive the same ruling, barring special circumstances. If a certain type of exception is constantly being requested or approved, it may mean the relevant standard needs to be adjusted to include the exception as a norm. Cal Poly’s Information Security Office will review these patterns and recommend changes as needed.
If a superior solution is available, an exception will be granted until the solution can be reviewed, and standards or procedures can be updated to allow for a better solution.
The exception process is intended to be a generic method that applies to all IT/information security policies and standards. Enforcement procedures for non-compliance are defined in those policies and standards.
Requests for exception may be revoked in the event of a security incident or policy violation using established incident response procedures.
Procedure
- Requester requests an exception form by contacting it-policy@calpoly.edu. The latest version of the form (Word) can be accessed internally at: V:\IS\Public\ISO\Forms\.
- Requester completes the form and obtains all required signatures.
- Requester emails the signed form to it-policy@calpoly.edu and sends the original signed copy to the Information Technology Services (ITS) Office of the CIO (OCIO) in 14-115. Department retains a copy.
- The OCIO will gather any necessary background information, determine if other administrative officials need to be consulted, and make a recommendation to approve or deny the request.
- The OCIO will contact the requester if additional information is required.
- The OCIO will approve or deny the request for an exception and notify the requester and manager in writing as to the basis for the approval or an explanation of the denial.
- If approval is contingent upon meeting specific requirements not documented in the request form, the requester must sign and submit an updated request form to it-policy@calpoly.edu.
- Departments may appeal a denial by submitting additional information or requesting a meeting to discuss the decision. After that, all decisions will be considered final.
- All requests for exception will be documented and retained by the OCIO. Copies of the final signed form will be returned to the requester and manager for their files.
- Unless otherwise specified, exceptions will be valid for one year.
- At the time of renewal, OCIO will ask the requesting manager to reaffirm the original request.
- If the conditions have substantially changed, a new request for exception must be submitted.
Responsibilities:
Information Technology Services (Chief Information Officer or designee)
- Reviews and approves or denies requests for exception
- Requests additional information as needed
- Confers with ISO, unit/college/division management, technical support, information security coordinator or requester as needed
- Determines if additional reviews are required
- Documents specific conditions or requirements for granting an exception
- Tracks requests for exception and reviews at least annually
- Determines if blanket exceptions are appropriate and communicates same to the campus
- Revokes exception in the event of an incident or violation occurs
- Manages the exception process and recommends changes as needed
- Maintains documentation on the security.calpoly.edu website
Requester and/or System Administrator/IT Coordinator (if different)
- Completes the form in consultation with unit manager and technical support staff
- Confers with information security coordinator, ITS and ISO as needed
- Certifies that the information is accurate and will be implemented to the best of their ability
- Agrees to comply with all other aspects of the applicable IT/information security policies and standards and to abide by Cal Poly’s Information Resources Responsible Use Policy
- Acknowledges that exception may be revoked in the event of a violation or incident
- Acknowledges that exception will be subject to review at least annually
Department Head/Chair/Manager
- Confers with ITS, ISO, unit/college/division management, technical support, information security coordinator or requester as needed
- Reviews and approves requests for exception involving resources under their management
- Reviews applicable policy or standard for which the exception is being requested
- Accepts responsibility for the risks associated with granting the exception, including acceptance of any potential personal and departmental sanctions based on the applicable policy or standard
Information Security Coordinator (on behalf of the Dean/Vice President)
- Confers with ITS, ISO, unit/college/division management, technical support or requester as needed
- Reviews and approves requests for exception involving resources within their college or division
- Reviews applicable policy or standard for which the exception is being requested
- Advises unit/college/division management of the potential risks associated with granting the exception; accepts responsibility for said risks on behalf of their college/division
Related Procedures and Resources:
- IT Security Policy/Standard Exception Request Form
- Information Technology/Information Security Policies and Standards
Implementation
Effective Date: | 3/22/11 |
---|---|
Review Frequency: | Annual |
Responsible Office: |
Information Technology Services - Office of the CIO |
RESPONSIBLE OFFICER: |
Vice Provost/Chief Information Officer |
Revision History:
Date | Action |
---|---|
September 2015 | Updated responsibilities and responsible office/officer sections |
3/8/2013 | Public release of document |
2011-12 | Draft available for campus review and piloted by OCIO |
3/2011 |
Draft reviewed by Information Security Management Team Initial draft developed by Mary Shaffer |
2010-11 | Source documents acquired from other universities |