Procedure for Cyber Security Exception Request
Cyber Security Exception Request must be raised by the person (or CSC) responsible for implementing the standards or controls. An email with the following information can be sent to Cybersecurity Operations team (security@ust.hk).
- State the policy / standard for which exception is being requested.
- State the specific servers or web applications for which exception is being requested.
- Data classification category of the servers or web applications.
- Type of data that will be affected.
- Reason why an exception is required.
- Proposed assessment of potential risk.
- Proposed plan for managing or mitigating those risks.
- Anticipated length of non-compliance.
- Proposed review date to evaluate progress.
- Any additional information as needed.
On receiving the above information, Cybersecurity Operations team will :
- Check if all information are well received and documented.
- Evaluate the exception request by IT Security Officer. IT Security Officer may communicate and/or work with the requestor or CSC to understand the situation. If found not appropriate, IT Security Officer may reject the exception request.
- Confirm the receipt of the exception request. A confirmation email, together with any comments from the IT Security Officer, will be sent to the requestor and CC: the correspinding Head of Department and CSC. If no further concern being received from the Head of Department, the exception request will be assumed to be reviewed and approved by the Head of Department.
- File the exception request until the next proposed review date.