Information Security

Security Exemption Process

Last modified 1/28/2021

Security exemptions are documented exceptions to following published processes, procedures, or standards.

This process should be followed for requesting and maintaining security exemptions.

Process

  1. A department requires an exemption for a published Process, Procedure, or Standard.
  2. A department representative or system owner requests an exemption.
  3. The Information Security Office validates the request and publishes the exemption request to a department-viewable resource.
  4. The Information Security Office requests approval from the Chief Information Security Officer for a finite period of time.
    1. If not approved, the process ends here.
  5. The Information Security Office requests exemption approval from the head of department.
    1. If not approved, the process ends here.
  6. The Information Security Office publishes the approved exemption to a department-viewable resource.
  7. The Information Security Office receives a ticket when the exemption has expired.
  8. The Information Security Office will verify the original issue has been resolved with the system owner or department representative.
    1. Alternatively, a new exemption can be requested to restart the process.
  9. The Information Security Office closes the ticket after resolution.

Further Reading

Exemption Procedure

Exemption Form

Exemption Tracking