Search Google Appliance

Information Technology

Foundational Information Security Controls Exception Process

We're taking you to an updated version of this article.

UMass Amherst Information Technology support articles are now updated in the new IT Knowledge Base. We found an updated version of this article, so we're sending you there.

Taking you to:
Redirecting in

Stay here to view this page in the legacy Support Center.
Information may be outdated as these articles are no longer maintained.

Find answers to your tech questions in the new IT Knowledge Base.

UMass Amherst Information Technology support articles are now updated in the new IT Knowledge Base.

This article is part of our archived legacy Support Center and may be outdated or inaccurate.
We did not find an updated version of this article. That means this archived content is more likely to be outdated or no longer relevant.
Check the new IT Knowledge Base for updated information:

More tech help options

The implementation of the foundational information security controls (anti-virus, patch management, encryption, and firewalls) reduces the risk of accidental, malicious or unauthorized disclosure, misuse, modification, destruction, loss and/or damage to university information, research data and computing systems.
All users of the UMass Amherst network or information technology systems are responsible for the maintenance, appropriate use and security of those resources, including the adoption and upkeep of these foundational information security controls.
There may be use cases in which these foundational information security controls cannot be implemented. In such cases, an exception must be documented and approved using the formal exception process.
Exceptions will be granted for a specific time period, not to exceed a year, and will be reviewed and approved on a case-by-case basis. The review process will take into consideration the risk to the computer, information and data, and the compensating controls in place.
An exception MAY be requested when any of the following apply:
  • The computer is due to be replaced or decommissioned in the near future (temporary exception not to exceed 3 months).
  • The hardware does not meet the minimum requirements.
  • The computer is specialized equipment (e.g. lab equipment controller).
  • The software will cause significant interruption of a business process.
  • Equivalent or superior security controls are already in place.

Requests for exception that create significant risk to the university without appropriate compensating controls will not be approved. Compensating controls may be reviewed in the event of a security incident.

Exception Request Process
  1. The requester fills out the Foundational Information Security Controls Exception Form
  2. IT Information Security reviews the request, assesses the risk, and asks for additional information if needed.
  3. IT Information Security approves or denies the request.
  4. IT Information Security notifies the requester of the status and the basis for the approval or an explanation of the denied request. In the case of a denied request, IT Information Security may recommend requirements to approve the request.
  5. A requester may appeal a denied request by submitting additional information to The appeal will be reviewed by IT Information Security and the leadership in the requester's college/department.

Contact IT Information Security with questions about the foundational information security controls or the exception process.