114 Information Security Exceptions
The following table shows who is responsible for ensuring compliance with the policy requirements listed below.
Requirement/Expectation | All Users | Data/System Owners | System Custodians/ Administrators | OIS | Departments, Schools, Units |
---|---|---|---|---|---|
A department, school, or WashU Community member that is not able to meet the requirements stated in OIS policies and standards will submit a policy exception request form. | ✔ | ✔ | ✔ | ✔ | ✔ |
Department IT, Data Owners, and System Owners may assist in completing the exception form. | ✔ | ✔ | ✔ | ||
OIS will perform a risk assessment after receiving the completed request materials. | ✔ | ||||
Exception requests for the purpose of convenience or personal preference or that pose unacceptable risk to the university will not be approved. | ✔ | ✔ | ✔ | ✔ | ✔ |
The CISO will review exceptions that pose high risk to the university. | ✔ | ||||
Exception requests involving the reduction of security controls and/or settings will not be implemented until the exception has been reviewed and approved by the OIS. | ✔ | ✔ | ✔ | ✔ | ✔ |
The OIS will review granted exceptions annually at a minimum to determine whether the exception is still appropriate | ✔ |
Summary of Policy
Strong security policies are crucial for protecting WashU’s information resources. However, perfect adherence by every member of the WashU Community is not always feasible. The exception policy clearly communicates how the OIS handles exception requests when compliance with published policies and standards is not possible. This policy includes details about the following topics:
- Preparing an exception request
- Assessing risks associated with exceptions
- Escalating high-risk exception requests to the CISO for review
- Implementing compensating security controls
- Documenting and reviewing exceptions
Full Text of Policy
Policy 114 Information Security Exceptions
The Information Security Exceptions Policy clearly communicates how the OIS handles exception requests when compliance with published policies and standards is not possible.
Related Information
105 Information Security Risk Management
This policy describes how the Office of Information Security (OIS) helps manage technical and process risks to the Confidentiality, Integrity, and Availability (CIA) of information resources at Washington University in St. Louis (WashU).