Security Policy and Standards Exception Requests

An exception request will need to be submitted for compliance deviations impacting Institutional Information and IT Resources classified as Critical Infrastructure, Protection Level 3 and 4 and as Availability level 3 and 4.

Compliance deviations can come from:

  • UCI Information Security Standards
  • UC Information Security Policy, IS-3
  • Applicable security requirements of laws, governmental regulations, agreements, grants, contracts, or external obligations.

Exception Request Form:

Use the following form to create an exception request. Once the form is completed submit the request to securityreviews@uci.edu

Exception Request Process

Step 1: Fill out the security exception request form

  • The Unit Information Security Lead (UISL) or delegate must submit the request to OIT Security. 
  • Exception requests cannot have an expiration date beyond 1 year.
  • Signatures are not expected to be captured in this step of the request process.

Step 2: Submit the exception request form to securityreviews@uci.edu

  • Once the request is submitted, OIT Security will review the request. If additional information is needed, OIT Security will reach out to the requestor and UISL.

Step 3: UCI’s Chief Information Security Officer (CISO) or delegate reviews the request:

  • CISO identifies the risk accepter who is a Unit Head with the level of authority that matches the risks identified, and any other individuals who may need to approve the request.
  • CISO has the ability to:
    • Grant the exception request as submitted.
    • Grant the exception request with added modifications.
    • Reject the exception request.

Step 4: Requestor and UISL share and discuss the exception request with the identified risk accepter.

  • Unit acceptance includes acceptance of risks and potential financial loss.
    • If cyber insurance applies then the Unit is responsible for the UC cyber insurance deductibles.
    • If cyber insurance doesn’t apply then the Unit is fully financially responsible for the total incident cost.

Step 5: Notify OIT Security that the risk accepter has agreed to formally sign and accept the risk and is ready to sign-off on the exception.

  • OIT Security will setup an electronic form to collect digital signatures.

 

Resources: