Search Google Appliance

Information Technology

Foundational Information Security Controls Exception Process

The implementation of the foundational information security controls (anti-virus, patch management, encryption, and firewalls) reduces the risk of accidental, malicious or unauthorized disclosure, misuse, modification, destruction, loss and/or damage to university information, research data and computing systems.
All users of the UMass Amherst network or information technology systems are responsible for the maintenance, appropriate use and security of those resources, including the adoption and upkeep of these foundational information security controls.
There may be use cases in which these foundational information security controls cannot be implemented. In such cases, an exception must be documented and approved using the formal exception process.
Exceptions will be granted for a specific time period, not to exceed a year, and will be reviewed and approved on a case-by-case basis. The review process will take into consideration the risk to the computer, information and data, and the compensating controls in place.
An exception MAY be requested when any of the following apply:
  • The computer is due to be replaced or decommissioned in the near future (temporary exception not to exceed 3 months).
  • The hardware does not meet the minimum requirements.
  • The computer is specialized equipment (e.g. lab equipment controller).
  • The software will cause significant interruption of a business process.
  • Equivalent or superior security controls are already in place.

Requests for exception that create significant risk to the university without appropriate compensating controls will not be approved. Compensating controls may be reviewed in the event of a security incident.

Exception Request Process
  1. The requester fills out the Foundational Information Security Controls Exception Form
  2. IT Information Security reviews the request, assesses the risk, and asks for additional information if needed.
  3. IT Information Security approves or denies the request.
  4. IT Information Security notifies the requester of the status and the basis for the approval or an explanation of the denied request. In the case of a denied request, IT Information Security may recommend requirements to approve the request.
  5. A requester may appeal a denied request by submitting additional information to The appeal will be reviewed by IT Information Security and the leadership in the requester's college/department.

Contact IT Information Security with questions about the foundational information security controls or the exception process.