Policy, Standards, and Procedures Exceptions Process
Table of Contents
1. Purpose and Background
2. Procedures
a) The Process
b) Requesting an Exception
3. Definitions
4. Related Links
REVISION HISTORY: June 1, 2022
1. Purpose and Background
The University of Virginia is committed to safeguarding its information and computing infrastructure upon which the teaching, research, public service, and healthcare functions rely (see the Information Security of University Technology Resources policy). Additionally, the University is strongly committed to maintaining the security and privacy of confidential personal information and other data it collects or stores (see the Data Protection of University Information policy and Privacy and Confidentiality of University Information policy).
In order to guide the University community in achieving these objectives, the University has established standards, and procedures, and policies that all users are required to follow. However, the University also recognizes that there may be urgent business needs or academic pursuits that require deviations from these policies, standards, and procedures. Therefore, the University has developed an exceptions process that users may utilize to justify such deviations.
This document outlines the exceptions process, intended for all users of University technology resources and information. Questions about exceptions and/or the request process should be emailed to [email protected]
2. Procedures
The Process
Any user who wishes to be granted an exception from a policy, standard, or procedure must provide the following information relevant to the request:
- Specific policy, standard, and/or procedure for which an exception is requested.
- List of the systems, networks, and/or data for which the exception will apply. The list must include the fully qualified name of any servers (e.g., abc.its.virginia.edu) and the category of data sensitivity (e.g., highly sensitive data)
- Explanation as to why this exception is being requested
- Details regarding the mitigating factors and compensating controls that will be used to offset the risk
- Length of time (three, six, or 12 months) for which the exception is requested
- Requestor’s name, email address and department and if applicable, technical person(s) name(s) and email address(es).
The University Information Security office (InfoSec) will assess the level of risk associated with the proposed exception. The magnitude of the assessed risk will dictate the level of approval that is needed. After InfoSec has reviewed the request and confirmed the details of the requested exception, the Chief Information Security Officer (CISO) or designee will review and if approved, determine the additional approvals the user needs to obtain based on the following chart:
Resulting Risk from Exception | Chair/Dept. Head or designee | VP/Dean or designee | CIO or designee |
---|---|---|---|
Low Risk | X | ||
Medium Risk | X | X | |
High Risk | X | X | X |
For example, the risk associated with storing highly sensitive data on an individual use device is usually considered a medium risk, thus requiring approvals from the department chair/head or designee, and the VP/Dean or designee.
Note: University leaders, including academic deans, academic chairs, vice-presidents, and C‑level employees, may not approve their own exception requests. In such cases, either the supervisor of the requestor or a person in a similar position of authority, who is able to judge and accept the risk, business need, and appropriateness of the exception request for the unit, will be the designated authorizing official.
Requesting an Exception
Anyone can initiate an exception request by using the Information Technology Services (ITS) Service Catalog Request an Exception to a Security Policy, Standard, or Procedure item, which guides users through the policy exception request process as follows:
- After having selected the Service Catalog Request an Exception item, the user enters the required information in the fields provided. Users may also upload supporting documentation.
- Once the form is submitted, the request is assigned to the IT Compliance team to review.
- An IT Compliance team member works with the user to
- assess the risks created by the exception,
- evaluate potential alternatives,
- provide recommendations, and
- determine the appropriate departmental and if applicable, the data stewards approval(s), the user needs to obtain,
- Once the appropriate approvals are obtained, the IT Compliance team member will reply via email with documented approval or denial of the request (along with request details) to the requestor and/or user for whom the exception was requested, copying the department head/chair and vice president/dean approvers, as well as University Audit.
- If the exception is granted and approvals obtained, the IT Compliance member will provide the user with any additional assistance as needed, such as coordinating with the relevant data steward(s) or other individual(s) who have a role in fulfilling the exception request.
- If the exception is not granted, University Information Security will work with the user to define a reasonable deadline for compliance.
- If the exception is not granted, the user may appeal the decision to the Chief Information Officer (CIO)
- The user will be notified prior to expiration that the exception duration is ending. The user must then submit a new exception request or notify InfoSec that the exception is no longer needed.
Note: Exceptions will not be granted when feasible alternatives exist or risks outweigh projected benefits.
3. Definitions
For a comprehensive list of the definitions found in the Acceptable Use, Data Protection, Information Security, and Privacy & Confidentiality policies, please click here.
4. Related Links
- Acceptable Use of the University’s Information Technology Resources (IRM-002)
- Data Protection of University Information (IRM-003)
- Information Security of University Technology Resources (IRM-004)
- Privacy and Confidentiality of University Information (IRM-012)