Exception Form

In the exception form’s review process, our team works with the requestor to evaluate the risks that may arise because of the policy, workstation, or server exception. Our office is particularly concerned with protecting personally identifiable information (PII), protected health information (PHI), and our community’s shared information resources. The workstation/server section documents systems that can no longer be updated to a current operating system. We assess each exception request in light of these concerns, allowing us to meet the unique needs of our community members while also maintaining the confidentiality, integrity, and availability of our information and resources.

Please Note

  • Please include as much detail as possible in your responses to form questions. See our Questions for Tickets page for additional guidance.
  • If you need assistance, please contact the Office of Information Security at infosec@wustl.edu.

Guidance

Creating a New Form

  1. From the Forms page on the OIS website, click “Exception Form”
  2. Enter your WUSTL email address in the OneTrust login page. If you aren’t already logged in with DUO, you will be prompted to complete our WashU 2FA process.
  3. From the Self-Service Assessment main page, click “Launch” on the Exception Form button.
  4. Enter a name for your Assessment. Please use the following format “PE-your last name.”

5. Click “Launch” at the bottom of the page.

Form Questions

To submit a complete an exception form, please answer all the required questions in the categories “General,” “Workstation/Server,” and “Compliance.” Please note that any question marked with an asterisk is required and must be completed before the form can be submitted.

Exception Form

Be prepared to provide information about the following:

General Questions

  • Asset Name
  • Requestor name
  • Requestor email
  • Business Manager/Department Manager
  • Exception: Asset Exception, End of Support (Server), End of Support (Workstation), or Policy Exception
  • ServiceNow Ticket Number
  • Reason for exception
  • Duration of Exception
  • Is the device used for any affiliated hospital system (BJC) project?

Encryption – in Question 1.7, the following questions will appear:

  • When can the device be replaced if upgrading to a current operating system is required?
  • What is the estimated cost to replace the computer so that full disk encryption can be installed?
  • Is funding a barrier to replacement now?
  • Where applicable, can a full disk encryption product other than Microsoft Bitlocker be installed as an alternative?
  • Are there other known security problems with the computer?
  • Can a Kensington Lock be installed to reduce risk of physical theft?
  • Does the senior-most leader in the department agree with the exception request and need to review in 12 months? Please attach a PDF of approval email.

Outdated OS – If a user selects “Outdated OS” in Question 1.7, the following questions will appear:

  • What is the reason the operating system cannot be upgraded?
  • When can the device be replaced if upgrading to a current operating system is required?
  • What is the estimated cost to replace the computer?
  • Is funding a barrier to replacement now?
  • Are there other known security problems with the computer?
  • Can a small firewall be installed in front of the computer?
  • Can the computer be taken off the network?
  • Does the senior-most leader in the department agree with the exception request and need to review in 12 months? Please attach a PDF of approval email

Workstation/Server Questions

  • Is the workstation/server connected to a network domain?
  • Is domain access required?
  • What is the asset used for?
  • Is the workstation/server encrypted?
    •  If not, why can the asset not be encrypted?
  • Is the firewall enabled on the device?
  • Does the workstation/server have anti-virus/anti-malware enabled?
  • Can the workstation/server be patched/upgraded to a modern Operating System?
    • If not, please explain why it cannot be patched/upgraded.
    • What is the timeline for potentially replacing the device if an upgrade to a current operating system is necessary?
  • Is the workstation/server used to browse the internet/check email?
  • List any applications on this workstation/server that cannot be updated. Also explain why the applications cannot be updated.
  • What network is the workstation/server on: WUCON, WUSTL, BJC, Other?
  • Is network access required?
  • Can the workstation/server be accessed from outside the network?
  • Who has remote access to the workstation/server?
  • How is it accessed?
  • Can the workstation/server be retired? If yes, please provide date when it will be retired.
    • If not, explain why.
  • Can the workstation/server be replaced?
    • If so, when will it be replaced?
    • If not, why can it not be replaced?
    • What is the estimated cost to replace the computer?
    • Can the computer be taken off the network?
  • Does the workstation/server have PHI/PII stored on it?
  • Does the workstation/server have access to a file share with PHI/PII?
  • Is the workstation/server connected to any high-value peripherals?
  • Who maintains the server?
  • What is the Operating System (OS) on the server?
  • Is the server stored in a secure data center?
  • Can the server be accessed from WUCON?
  • Can the asset be accessed from WU Public Network?

Policy Exception Questions

  • What Information Security Policy are you seeking exception from: Encryption, Infrastructure, Vulnerability, Other?

Once you have answered all required questions, the “Submit” button will become available. Click it to submit your form or click “Save and Exit” to come back later.