Security Exceptions Procedure

Standard Name: Security Exceptions Procedure

Area: Information Services

Process Owner/Manager: Information Security Services

Effective Date: 3/5/2018

Purpose

In accordance with the West Lafayette Internal Audit Office and Purdue University Northwest Security Team, PNW must submit requests for exceptions to information security policies, standards, guidelines, and procedures. The purpose of this document is to record the process that will be taken when a security exception is requested.

Summary

Security exception requests must be submitted to and reviewed by the Information Security Services department. The security exception forms contains a number of questions and fields that assist the Security team with the review.

  1. A requester and their Department Head/Director seeking an exception must assess the risk that the non-compliance causes Purdue University Northwest IT Resources and business process. If the Department Head/Director believes the risk is reasonable, then the request for the exception can proceed.
  2. The requester will fill out the Request for Security Policies/Procedures Exception form.
  3. The form must be submitted to the Information Security Services team in Powers building, room 216.  The Information Security Services group will gather any necessary background information and make a recommendation to approve or deny the request.  This group may recommend that other areas such as Data Steward(s), Departmental Computing Management, and/or Internal Audit review certain decisions.
  4. Exceptions to current security controls may require implementation of compensating controls to maintain security and reduce risk. Options for compensating controls may be recommended by the requesting party or by ISS, Data Stewards, or Internal Audit. Compensating controls will be the responsibility of the requesting unit to implement and maintain. (Note: Compensating controls may have an increased cost over the original control.)
  5.  The Information Security Services team will approve or deny the request for an exception.
  6. The requester and Department Head/Director will be notified of the decision to approve or deny.
  7. All requests for exceptions will be retained by the Information Security Services team.
  8. Exceptions are valid for a one-year period.  At that time a new request for exception must be submitted.