Information Security

Security Exemption Procedure

Last modified 1/28/2021

Security exemptions are documented exceptions from following a published process, procedure, or standard for approved systems or procedures.

This procedure should be followed for requesting and maintaining security exemptions.

Procedure

  1. A department requires an exemption for a published Process, Procedure, Standard, or ISU Policy and Procedure.
  2. A department representative or system owner requests an exemption by completing the Exemption Request Form on the Information Security Docs site. A Cherwell ticket is automatically created at form submission.
  3. The Information Security Office validates the request and creates an exemption page on the Information Security Docs site.

    1. Pro Tip

      You may find all pending, approved, not approved, and expired exemptions on your team's exemption tracking page. Select the page for your team at Exemption Tracking.

  4. The Information Security Office will email the head of department and requester to request approval from the department head for the request.
    1. If not approved, the procedure ends here.
  5. The Information Security Office requests approval from the Chief Information Security Officer. The exemption will be approved for a finite period of time.
    1. If not approved, the procedure ends here.
  6. The Information Security Office emails an approval receipt to the department head and requester. The approved exemption is published to the department's exemption page on the Information Security Docs site - including the duration of the exemption.
  7. After the exemption expires, the Information Security Office receives a Cherwell ticket. The department head and requester also receive email notification that the exemption has expired.
  8. The Information Security Office will verify the original issue has been resolved with the system owner or department representative. The original issue/reason should be resolved.
    1. Alternatively, a new exemption can be requested to restart the exemption process.
  9. The Information Security Office closes the ticket after resolution.

Further Reading

Exemption Process

Exemption Form

Exemption Tracking