- SCU Home Page
- About SCU
- On Campus
- News & Info
Information Security Exception Process
August 26, 2013
Policy Exception and Risk Assumption
University students, faculty, staff, contractors, and volunteers must comply with all applicable policies, approved practices, rules, standards, procedures and guidelines. The Information Security exception and risk assumption process applies to instances where the cost to remediate systems and processes that are not compliant with applicable policies, approved practices, rules, standards, procedures and guidelines greatly exceeds the risks of non-compliance.
Information Security exception requests are reviewed and analyzed by the Information Security Office, and possibly by General Counsel. If the request creates significant risks without compensating controls it will not be approved.
All approved exception requests will have an expiration date and must be reviewed prior to that date to ensure that assumptions or business conditions have not changed, and reapproved if the exception to policy is still valid.
Information Security Exception and Risk Assumption Request Form
Please complete the following to request an exception.
I, as the responsible university approver, accept responsibility for the risks associated with this exception to information security approved practices or standards. I understand that the risks include potential loss of information and acceptance of the personal and departmental sanctions described in the Data Classification Standard. I also understand that this exception may be revoked and will be subject to annual follow-up procedures.
Portions of this document are adapted with permission from Stanford University, Purdue University, and the University of Utah