Exception to Information Security Policy Request Standard

This Standard supports and supplements the University of Central Oklahoma’s (“University” or “UCO”) Information Security Policy. The standard is mandatory and enforced in the same manner as policy. It will be periodically reviewed and updated as necessary to meet changes in legal and regulatory requirements.

UCO recognizes that units and individuals at UCO operate in diverse and complex environments. In the event strict application of the Information Security Policy and its supporting standards cannot be met with reasonable efforts, UCO is committed to assisting individuals and units in the completion of their objectives while providing for appropriate protection of institutional information assets.

In order to balance the needs of individuals and units with the need to securely accomplish UCO’s mission, this standard will provide the UCO community with an exception process that Accommodates specific limited circumstances in the event utilizing the security controls identified in the Information Security Policy and the associated supplemental Standards and Guides would significantly impair the educational, research, business, or service missions of the University, and approves necessary variations from normally required policy compliance.

Exception to Information Security Policy Request- Standard

Purpose

This Standard supports and supplements the University of Central Oklahoma’s (“University” or “UCO”) Information Security Policy. The standard is mandatory and enforced in the same manner as policy. It will be periodically reviewed and updated as necessary to meet changes in legal and regulatory requirements.

UCO recognizes that units and individuals at UCO operate in diverse and complex environments. In the event strict application of the Information Security Policy and its supporting standards cannot be met with reasonable efforts, UCO is committed to assisting individuals and units in the completion of their objectives while providing for appropriate protection of institutional information assets.

In order to balance the needs of individuals and units with the need to securely accomplish UCO’s mission, this standard will provide the UCO community with an exception process that Accommodates specific limited circumstances in the event utilizing the security controls identified in the Information Security Policy and the associated supplemental Standards and Guides would significantly impair the educational, research, business, or service missions of the University, and approves necessary variations from normally required policy compliance.

Scope

This Standard applies to:

  1. This standard applies to all divisions, colleges and units established by the University that exercise any information technology (IT) function relating to the mission of the University except for those specifically exempted in writing by the senior leadership (as defined in the information security policy) of the University.

  2. This standard applies to University computer and telecommunications systems; faculty, staff, and students; academic and administrative units; affiliated entities, agents, contractors, and volunteers of the University, members of the community who use and/or administer such systems, or any information asset (as defined in this policy) that connects directly or indirectly to any UCO owned, leased, contracted, or operated computer or telecommunication system.

Standard Details

  1. REASONS FOR GRANTING EXCEPTION:

    While there are many reasons why an exception may be granted, the most common reasons include:

    1. When compliance adversely affects an individual’s or unit’s ability to accomplish its objectives and another acceptable solution with appropriate protection is available.

    2. When the risks of non-compliance are outweighed by the compliance costs.

    3. When immediate compliance would unacceptably disrupt operations.

  2. PROCESS FOR REQUESTING EXCEPTION:

    Units or individual faculty, researchers, and staff may submit an exception request by following this process:

    1. The first step is to request an Exceptions Review through the Service Desk or by phone at (405) 974-2255. Requests should describe the following:

      1. Name and contact information of requestor and unit.

      2. System, application, device, media, or research project specific to the exception.

      3. Obstacles to compliance (e.g., technical, operational, financial, efficiency, or other challenges).

      4. Description of data involved and unique, project- or environment-specific risks associated with non-compliance.

      5. Signature acknowledgement of Dean, Director, Budget Executive, or Department Head.

    2. Requestors will work with UCO Office of Information Technology (OIT), and/or OIT Information Security Department (ISD) to fully identify the systems, applications, devices, media, or research projects that are the subject of the request.

    3. The intent of the exception review is to realize any impact to the University, and to formulate an alternative solution without the need of an exception that allows the unit or individual to accomplish its objective with minimal disruption or negative impact.

    4. If an alternative solution is not feasible, an exception request must be requested.

    5. Exception requests will receive acknowledgment of receipt and categorization within three (3) business days. A determination regarding the request will be provided as soon as reasonably possible. More complex requests may receive a determination that further investigation is necessary. During evaluation, units or individuals may continue normal operations, unless instructed otherwise by ISD.

    6. The Chief Information Officer (CIO), or the Director of Information Security acting as the delegated authority from the CIO, will evaluate exception requests on a case-by-case basis, accounting for level of risk, potential threats and vulnerabilities, cost analysis, available staff resources, other priority commitments, and operational and technical limitations or constraints. The CIO or Director of Information Security may involve additional stakeholders and subject matter experts during the evaluation process, but the CIO and Director of Information Security will have final responsibility and accountability for approving or denying a request for an exception.

    7. ISD may approve compensating controls for the assigned data security level to maintain security and reduce risk when certain standard controls prescribed for that level are not feasible. These compensating controls must be documented and agreed to by the CIO or the Director of Information Security.

    8. The Director of Information Security, or his/her delegees may also grant a short-term exception while working with the requester to establish a timeline for full compliance.

    9. Short-term exceptions are valid for the agreed-upon timeline but will not exceed 180 days. Prior to a short-term exception expiring, the requestor will contact the ISD to determine whether there is a continuing need for the exception.

    10. Long-term exceptions granted by the CIO or the Director of Information Security remain in force unless there is a significant change that requires a reevaluation.

    11. ISD reserves the right to review exceptions, and may its discretion, require changes to any exception at any time.

    12. After exploring reasonable alternatives in conjunction with the unit, individual and other stakeholders, the CIO, or the Director of Information Security, acting as the delegated authority, will approve or deny the request for an exception.

Standard Violations

  1. Failure to comply with this standard or other University policies will result in disciplinary action, up to and including termination of employment and/or enrollment. All persons to whom these policies, standards, and guidelines are applicable, as stated above, are responsible for adhering to these rules.

  2. All supervisory personnel are responsible for ensuring that these policies, standards, and guidelines are adhered to within their respective areas of responsibility. Any user may report University policy or law violations to their immediate supervisor, representative faculty or school personnel or using UCOMMENT.

 

Change Log

 

Version

Date

New

Original

 

 

 

 

 

 

 

 

 

Approvals

 

Approved By

Date

Description

Jeff Miller

February 9,

2023

Initial Policy Release

 

Print Article