114 Information Security Exceptions

The following table shows who is responsible for ensuring compliance with the policy requirements listed below.

Requirement/ExpectationAll UsersData/System OwnersSystem Custodians/ AdministratorsOISDepartments, Schools, Units
A department, school, or WashU Community member that is not able to meet the requirements stated in OIS policies and standards will submit a policy exception request form✔ ✔ ✔ ✔ 
Department IT, Data Owners, and System Owners may assist in completing the exception form.   ✔ ✔  ✔ 
OIS will perform a risk assessment after receiving the completed request materials.     ✔  
Exception requests for the purpose of convenience or personal preference or that pose unacceptable risk to the university will not be approved. ✔ ✔ ✔ ✔ ✔ 
The CISO will review exceptions that pose high risk to the university.     ✔  
Exception requests involving the reduction of security controls and/or settings will not be implemented until the exception has been reviewed and approved by the OIS. ✔ ✔ ✔ ✔ ✔ 
The OIS will review granted exceptions annually at a minimum to determine whether the exception is still appropriate    ✔  

Summary of Policy

Strong security policies are crucial for protecting WashU’s information resources. However, perfect adherence by every member of the WashU Community is not always feasible. The exception policy clearly communicates how the OIS handles exception requests when compliance with published policies and standards is not possible. This policy includes details about the following topics:

  1. Preparing an exception request
  2. Assessing risks associated with exceptions
  3. Escalating high-risk exception requests to the CISO for review
  4. Implementing compensating security controls
  5. Documenting and reviewing exceptions

Full Text of Policy

Policy 114 Information Security Exceptions

The Information Security Exceptions Policy clearly communicates how the OIS handles exception requests when compliance with published policies and standards is not possible.

Related Information

105 Information Security Risk Management

This policy describes how the Office of Information Security (OIS) helps manage technical and process risks to the Confidentiality, Integrity, and Availability (CIA) of information resources at Washington University in St. Louis (WashU).