Santa Clara University

Information Security Office

Information Security Exception Process

August 26, 2013

Policy Exception and Risk Assumption

University students, faculty, staff, contractors, and volunteers must comply with all applicable policies, approved practices, rules, standards, procedures and guidelines.  The Information Security exception and risk assumption process applies to instances where the cost to remediate systems and processes that are not compliant with applicable policies, approved practices, rules, standards, procedures and guidelines greatly exceeds the risks of non-compliance.

Information Security exception requests are reviewed and analyzed by the Information Security  Office, and possibly by General Counsel.  If the request creates significant risks without compensating controls it will not be approved.

All approved exception requests will have an expiration date and must be reviewed prior to that date to ensure that assumptions or business conditions have not changed, and reapproved if the exception to policy is still valid.

Information Security Exception and Risk Assumption Request Form

Please complete the following to request an exception.

 Security Approved Practice or Standard to which this exception applies:



 I understand that compliance with Santa Clara University information security approved practices and standards is expected for all students, faculty, staff, information systems, and communication systems.  I have read the above-named policy and I believe that the control(s) described therein should not be required for the following organizational unit, information system, or communication system:






 I understand that an exception to information security approved practices is appropriate only when compliance would: (a) adversely affect the accomplishment of Santa Clara University business, or (b) cause an adverse financial impact that would not be offset by the reduced risk occasioned by compliance. 



 This exception is warranted because:




A written assessment has been prepared of the risks associated with this exception.  This risk assessment has been jointly prepared with the assistance of Information Security Office.  (Yes or No)

I, as the responsible university approver, accept responsibility for the risks associated with this exception to information security approved practices or standards. I understand that the risks include potential loss of information and acceptance of the personal and departmental sanctions described in the Data Classification Standard.  I also understand that this exception may be revoked and will be subject to annual follow-up procedures.

 Printed Name of Requestor Requestor Signature
Printed Name of Approver
Approver Signature
 Printed Name of Data Owner Data Owner Signature
 Printed Name of ISO Representative ISO Representative Signature

Portions of this document are adapted with permission from Stanford University, Purdue University, and the University of Utah

Information Security Office, 1-408-554-5554,