Security Policy Exceptions
Purdue University information security policies, standards, guidelines, and procedures institute controls that are used to protect Purdue University data and IT Resources. While every exception to a policy or standard weakens protection for University IT Resources and underlying data, occasionally exceptions will exist. Centralized and departmental IT units and IT Resource owners who are responsible for ensuring appropriate enforcement of University information security policies and related standards on University IT Resources must use this procedure when requesting an exception to Purdue University information security policies, standards, guidelines, and procedures.
The following procedure defines the process for the review and approval of exceptions to Purdue University information security policies, standards, guidelines, and procedures:
- A manager (or their designee) seeking an exception must assess the risks that non-compliance causes Purdue University IT Resources and business processes. If the manager believes the risk is reasonable, then the manager prepares a written request describing the risk analysis and request for an exception.
NOTE: The only reasons that justify an exception are when compliance adversely affects business objectives or when the cost to comply offsets the risk of non-compliance.
The risk analysis includes:
Request for Security Exception Form
- Identification of the threats and vulnerabilities, how likely each is to occur and the potential costs of an occurrence.
- The cost to comply.
- Submit the request for exception to the Chief Information Security Officer, or his or her designee at Young Hall Rm 628. The ITaP Security and Policy (ITSP) group will gather any necessary background information and make a recommendation to approve or deny the request. This group may recommend that other areas such as Data Steward(s), Departmental Computing Managers, and/or Internal Audit review certain decisions.
- The Chief Information Security Officer, or his or her designee, will approve or deny the request for an exception.
- The requesting manager will be notified of the decision to approve or deny.
- All requests for exception will be retained by ITaP Security and Policy.
- Exceptions are valid for a one-year period. Annually, ITaP Security and Policy will send a copy of approved exceptions back to the requesting manager who must determine whether the conditions that justified the original exceptions are still in effect. If the conditions have substantially changed, a new request for exception must be submitted. Where little has changed, the review process may be shortened as recommended by the Chief Information Security Officer, his or her designee, and/or ITaP Security and Policy .