Security Policy and Standards Exception Requests
An exception request will need to be submitted for compliance deviations impacting Institutional Information and IT Resources classified as Critical Infrastructure, Protection Level 3 and 4 and as Availability level 3 and 4.
Compliance deviations can come from:
- UCI Information Security Standards
- UC Information Security Policy, IS-3
- Applicable security requirements of laws, governmental regulations, agreements, grants, contracts, or external obligations.
Exception Request Form:
Use the following form to create an exception request. Once the form is completed submit the request to email@example.com
Exception Request Process
Step 1: Fill out the security exception request form
- The Unit Information Security Lead (UISL) or delegate must submit the request to OIT Security.
- Exception requests cannot have an expiration date beyond 1 year.
- Signatures are not expected to be captured in this step of the request process.
Step 2: Submit the exception request form to firstname.lastname@example.org
- Once the request is submitted, OIT Security will review the request. If additional information is needed, OIT Security will reach out to the requestor and UISL.
Step 3: UCI’s Chief Information Security Officer (CISO) or delegate reviews the request:
- CISO identifies the risk accepter who is a Unit Head with the level of authority that matches the risks identified, and any other individuals who may need to approve the request.
- CISO has the ability to:
- Grant the exception request as submitted.
- Grant the exception request with added modifications.
- Reject the exception request.
Step 4: Requestor and UISL share and discuss the exception request with the identified risk accepter.
- Unit acceptance includes acceptance of risks and potential financial loss.
- If cyber insurance applies then the Unit is responsible for the UC cyber insurance deductibles.
- If cyber insurance doesn’t apply then the Unit is fully financially responsible for the total incident cost.
Step 5: Notify OIT Security that the risk accepter has agreed to formally sign and accept the risk and is ready to sign-off on the exception.
- OIT Security will setup an electronic form to collect digital signatures.