Request an Information Security Policy Exception

Summary

When a device doesn’t meet campus information security requirements, it poses a risk to all other devices on the network. Campus information security requirements are designed to protect our systems and data. Anything that doesn’t meet these requirements may face removal from the campus network if it poses a significant risk.

If you – or your department/unit – have a device or IT service that can’t meet campus information security requirements but must remain on the network, you should request a policy exception to avoid it being blocked unexpectedly. 

Please be aware that all exceptions are temporary, and systems must ultimately be brought into compliance.

Process

All exception requests are reviewed by the Information Security Office (ISO). Approval is based on whether the risks have been adequately addressed. ISO can also help you with the process and recommend options so your device/service can stay on the network.  

The steps associated with the Information Security Policy Exception process are:

  1. Complete a policy exception request form (links below). 

  2. The request is reviewed by the Information Security Office and approved, alternatives proposed, or escalated. 

  3. You should hear back from an information security analyst within a week.

  4. Escalation Process: Exception requests that pose a greater risk than the Information Security Office can accept are escalated to the Department or Unit Head. Additional approvals may also be required based on the level of risk the exception represents.

Request Forms

Additional information

For detailed information, please see the Information Security Policy Exception Process

The exception request form asks for: 

  • Your contact information

  • Contact info for the person with the authority to accept the risks associated with the exception*

  • Information about the devices and data* involved

  • Which policy requirement(s) can’t be met 

  • Any alternative protections to compensate for not meeting the policy requirements

  • A timeline for bringing the device(s) into compliance (all exceptions are temporary) 

* Not included on the form for personally owned devices

See the full list of questions: 

Standard | Personal Devices