Security Policy/Procedures Exceptions
Security Policy Exceptions
Purdue University information security policies, standards, guidelines, and procedures institute controls that are used to protect Purdue University data and IT Resources. While every exception to a policy or standard weakens protection for University IT Resources and underlying data, occasionally exceptions will exist. Centralized and departmental IT units and IT Resource owners who are responsible for ensuring appropriate enforcement of University information security policies and related standards on University IT Resources must use this procedure when requesting an exception to Purdue University information security policies, standards, guidelines, and procedures.
The following procedure defines the process for the review and approval of exceptions to Purdue University information security policies, standards, guidelines, and procedures:
- A requestor and their Department Head/Director seeking an exception must assess the risks that non-compliance causes Purdue University IT Resources and business processes. If the Department Head/Director believes the risk is reasonable, then the requestor prepares a written request describing the risk analysis and request for an exception.
NOTE: The only reasons that justify an exception are when compliance adversely affects business objectives or when the cost to comply offsets the risk of non-compliance.
The risk analysis includes:
- Identification of the threats and vulnerabilities, how likely each is to occur and the potential costs of an occurrence.
- The cost to comply.
- Submit the request for exception to the Chief Information Security Officer, or his or her designee at ROSS 112. The ITaP Security and Policy (ITSP) group will gather any necessary background information and make a recommendation to approve or deny the request. This group may recommend that other areas such as Data Steward(s), Departmental Computing Management, and/or Internal Audit review certain decisions.
- Exceptions to current security controls may require implementation of compensating controls to maintain security and reduce risk. Options for compensating controls may be recommended by the requesting party or by ITaP Security and Policy (ITSP), Data Stewards, or Internal Audit. Compensating controls will be the responsibility of the requesting unit to implement and maintain. (Note: Compensating controls may have an increased cost over the original control.)
- The Chief Information Security Officer, or his or her designee, will approve or deny the request for an exception.
- The requestor and Department Head/Director will be notified of the decision to approve or deny.
- All requests for exception will be retained by ITaP Security and Policy.
- Exceptions are valid for a one-year period. Annually, ITaP Security and Policy will send a copy of approved exceptions back to the requestor and Department Head/Director who must determine whether the conditions that justified the original exceptions are still in effect. If the conditions have substantially changed, a new request for exception must be submitted. Where little has changed, the review process may be shortened as recommended by the Chief Information Security Officer, his or her designee, and/or ITaP Security and Policy.