114 Information Security Exceptions

The following table shows who is responsible for ensuring compliance with the policy requirements listed below.

Requirement/Expectation	All Users	Data/System Owners	System Custodians/ Administrators	OIS	Departments, Schools, Units
A department, school, or WashU Community member that is not able to meet the requirements stated in OIS policies and standards will submit a policy exception request form.	✔	✔	✔	✔	✔
Department IT, Data Owners, and System Owners may assist in completing the exception form.		✔	✔		✔
OIS will perform a risk assessment after receiving the completed request materials.				✔
Exception requests for the purpose of convenience or personal preference or that pose unacceptable risk to the university will not be approved.	✔	✔	✔	✔	✔
The CISO will review exceptions that pose high risk to the university.				✔
Exception requests involving the reduction of security controls and/or settings will not be implemented until the exception has been reviewed and approved by the OIS.	✔	✔	✔	✔	✔
The OIS will review granted exceptions annually at a minimum to determine whether the exception is still appropriate				✔

Summary of Policy

Strong security policies are crucial for protecting WashU’s information resources. However, perfect adherence by every member of the WashU Community is not always feasible. The exception policy clearly communicates how the OIS handles exception requests when compliance with published policies and standards is not possible. This policy includes details about the following topics:

1. Preparing an exception request
2. Assessing risks associated with exceptions
3. Escalating high-risk exception requests to the CISO for review
4. Implementing compensating security controls
5. Documenting and reviewing exceptions

Full Text of Policy

Related Information

Coming soon.