The school, department or other entity unable to comply with a policy or standard must file a security exception. Except for minor approved exception requests, the requester will be guided through an assessment methodology that clarifies direct and indirect costs associated with the alternative process or technology; including technical, physical and administrative requirements consistent with laws, regulations, university policy, risk being assumed and the regulatory climate at large by using the "Policy Exception Request Template" (see below).
· Prior to completion of the Policy Exception Management Template an initial request should be sent via the online Policy Exception-Initial Request Form.
Once received, the information will be reviewed and the submitter will be notified of the next step.
Note: Minor exceptions due to isolated circumstances may be able to be adequately accounted for by this form and the more extensive Policy Exception Request Template will not be required.
2. If instructed to do so, the Policy Exception Request Template must be fully completed, including:
· Approval signature of appropriate level of university management for the level of potential risk being assumed (this may be a Department Chair, a Director, Dean, Vice President, the Provost or the President).
· Business and/or research case section which contains:
o Description of exception including policy number - technology, process or standard and its application.
o Information on why supported or recommended technology or standard does not meet requirements including IT discussion.
o Suggestions on what a viable control or central IT supported solution would look like.
o Implementation and maintenance costs including both initial and on-going costs for required licenses, hardware, software, infrastructure, training and procedural documentation, administrative and support personnel, temporary consultants, disaster recovery, backup, business continuity, and identified funding to support the technology during the technology's projected life cycle.
· Data Sensitivity Assessment:
o Data definition.
o Expected users of the data (faculty, staff, research, students, clinical, etc.).
o Data access restriction requirements due to laws/regulations (HIPAA, FERPA, PCI, NIH requirements, other laws or regulations, etc.), general privacy or proprietary/intellectual property concerns, university policy and/or prudent practice (this may be completed in conjunction with the Information Security Office).
o Security methodology for managing this data and access to include logical security via the operating system, database, application and other means, as applicable, as well as physical security of hardware and other related infrastructure.
· Implementation Plan
o Project implementation plan and resources, timeline devoted to implementation.
· Maintenance Plan
o Plan and resources devoted to on-going maintenance, administration, user training and contingencies.
3. Documentation is submitted to the Review Committee
· Committee includes representation from the Information Security Office (ISO) and Information Technology (IT) as well as, in an advisory capacity, Audit Services. Note: The committee may seek additional business and/or research advisory expertise.
· Risk Acceptance Document
o The committee will complete a Risk Acceptance Form for the responsible entity. This document will identify the risks being assumed by the entity. This form will also document, based on the committee's assessment of the entity's documentation (as described above) if the proposal is approved for implementation.
o The Risk Acceptance Form must be accepted, approved and signed-off by the appropriate Dean or Vice President. This approval documents that the entity management is aware of the risks inherent in the project and system, accepts them and will use entity resources to maintain the system and mitigate any risk events that may arise. Note: Depending on the scope and impact of the project, approval of the Provost and/or the President of the University may be required.
Note: For reference, the Risk Acceptance Form can be found in the ISO web site.
· Barring exceptional circumstances and given a proposal that is thorough and complete, the review committee will review and assess the proposal within 30 days of receipt.
· If approved, entity proceeds with implementation. Subject Matter Expert (SME) from IT will monitor implementation for adherence to plan or appropriate changes. If implementation proceeds as planned, technology or process is allowed to go into production.
Note: The SME is not the project manager.
· If request for exception is denied or implementation cannot proceed according to plan, entity can correct any deficiencies or seek alternative solutions.
4. Future review or audit
· Audit Services, Information Security, Institutional Compliance, IT or University Management may review technology for continued adherence to plan, security, etc.