- The computer is due to be replaced or decommissioned in the near future (temporary exception not to exceed 3 months).
- The hardware does not meet the minimum requirements.
- The computer is specialized equipment (e.g. lab equipment controller).
- The software will cause significant interruption of a business process.
- Equivalent or superior security controls are already in place.
Requests for exception that create significant risk to the university without appropriate compensating controls will not be approved. Compensating controls may be reviewed in the event of a security incident.
- The requester fills out the Foundational Information Security Controls Exception Form
- IT Information Security reviews the request, assesses the risk, and asks for additional information if needed.
- IT Information Security approves or denies the request.
- IT Information Security notifies the requester of the status and the basis for the approval or an explanation of the denied request. In the case of a denied request, IT Information Security may recommend requirements to approve the request.
- A requester may appeal a denied request by submitting additional information to email@example.com. The appeal will be reviewed by IT Information Security and the leadership in the requester's college/department.
Contact IT Information Security firstname.lastname@example.org with questions about the foundational information security controls or the exception process.