Revised: August 26, 2013
Policy Exception and Risk Assumption
University students, faculty, staff, contractors, and volunteers must comply with all applicable policies, approved practices, rules, standards, procedures, and guidelines. The Information Security exception and risk assumption process applies to instances where the cost to remediate systems and processes that are not compliant with applicable policies, approved practices, rules, standards, procedures, and guidelines greatly exceeds the risks of non-compliance.
Information Security exception requests are reviewed and analyzed by the Information Security Office, and possibly by General Counsel. If the request creates significant risks without compensating controls, it will not be approved.
All approved exception requests will have an expiration date and must be reviewed prior to that date to ensure that assumptions or business conditions have not changed, and reapproved if the exception to policy is still valid.
To request an exception, please fill out the Information Security Exception and Risk Assumption Request Form.