Security Policy/Procedures Exceptions

Security Policy Exceptions

Purdue University information security policies, standards, guidelines, and procedures institute controls that are used to protect Purdue University data and IT Resources. While every exception to a policy or standard weakens protection for University IT Resources and underlying data, occasionally exceptions will exist. With policies and standards being system-wide requirements for all campuses, centralized and departmental IT units and IT Resource owners who are responsible for ensuring appropriate enforcement of University information security policies and related standards on University IT Resources must use this procedure when requesting an exception to Purdue University information security policies, standards, guidelines, and procedures.

Exception Procedure

The following procedure defines the process for the review and approval of exceptions to Purdue University information security policies, standards, guidelines, and procedures:

A requestor and their Department Head/Director seeking an exception must assess the risks that noncompliance causes Purdue University IT Resources and business processes. If the Department Head/Director believes the risk is reasonable, then the requestor prepares a written request via the DocuSign form link below describing the risk analysis and request for an exception.

NOTE: The only reasons that justify an exception are when compliance adversely affects business objectives or when the cost to comply offsets the risk of noncompliance.

The security exception request form requires the following information:

  • Security Policy, Standard, or Procedure to which this exception applies. 
  • Describe why the exception is needed (e.g., why following the requirement is not possible; the adverse impact to services, operations, or administration. 
  • Describe the security threats to data, the application/service, and Purdue infrastructure that this exception introduces.
  • Describe the total cost to comply with the security policy/standard/procedure. Quantify/estimate/describe the cost of complying with the current policy (e.g., FTE hours and/or expense dollars incurred to be in compliance) or describe in detail the impact to users including an estimate of the number of users impacted.
  • Identify the data elements that are sensitive or restricted per University data classification and handling procedures.
  • Explain how the data elements are used in the application or service impacted by your request for exception.
  • Describe your proposed compensating controls that mitigate the additional risk imposed by not following the policy, standard, or procedure or provides a similar level of defense as the original control requirement.

Request for Security Exception Form

  • Submit the DocuSign form request for exception. It is important that you provide detailed information in your request, including your identification of risks and costs. 
  • You will be required to meet with the ITaP Security and Policy (ITSP) Senior Team to discuss your request. This group may recommend that other areas, such as Data Steward(s) and/or Internal Audit, review certain decisions.
  • Exceptions to current security controls may require implementation of compensating controls to maintain security and reduce risk. Options for compensating controls may be recommended by the requesting party or by ITaP Security and Policy (ITSP), Data Stewards, or Internal Audit. Compensating controls will be the responsibility of the requesting unit to implement and maintain. (Note: Compensating controls may have an increased cost over the original control.)
  • The Chief Information Security Officer, or his or her designee, will approve or deny the request for an exception.
  • The requestor and Department Head/Director will be notified of the decision to approve or deny.
  • All requests for exception will be retained by ITaP Security and Policy.
  • Exceptions are valid for a one-year period. Annually, ITaP Security and Policy will send a copy of approved exceptions back to the requestor and Department Head/Director who must determine whether the conditions that justified the original exceptions are still in effect. If the conditions have substantially changed, a new request for exception must be submitted. Where little has changed, the review process may be shortened as recommended by the Chief Information Security Officer, his or her designee, and/or ITaP Security and Policy.