All resources connected to or owned by the university network are expected to comply with the Cybersecurity Policy and Minimum Security Standard, which are designed to establish the controls necessary to protect the University information assets. However, there may be a case where compliance cannot be achieved for a variety of reasons like the followings. In such cases, an exception must be documented and notified University management.
- Temporary exception, where immediate compliance would disrupt critical operations.
- A legacy system is being retired and compliance is not possible (risk must be managed).
- Long-term exception, where compliance would adversely impact university business.
- Inability to implement the standard due to some limitation.
The exception request must document the following information :
- The specific policy / standard for which an exception is being requested.
- The specific servers or applications for which the exception is being requested.
- Data classification category of associated device, application or service.
- The type of data that will be affected, either directly or indirectly, by the exception.
- The reason why an exception is required, e.g., what business need or situation exists, what alternatives were considered, and why they are not appropriate.
- Proposed assessment of the potential risk associated with non-compliance.
- Proposed plan for managing or mitigating those risks associated with non-compliance.
- Anticipated length of non-compliance.
- Proposed review date to evaluate progress toward compliance.
- Additional information as needed, including any specific conditions or requirements.
All requests for exception must be raised by the department's CSC or the person responsible for implementing the standards or controls. Exception requests are evaluated by IT Security Officer for risk and mitigating factors. IT Security Officer may work with the department Cybersecurity Coordinator or the requester to establish a timeline for compliance and implementation of interim mitigating controls. If found inappropriate, IT Security Officer may reject the exception request. Non-compliant systems that pose significant risk to campus resources may face removal from the campus network and / or other take-down action. All requests for exception must be reviewed and approved by the corresponding Head of Department. Procedure for raising the exception request can be found here.