Policy 114 Information Security Exceptions

Purpose

The exception policy and associated guidance provide a well-defined approach for the review and documentation of requests for exceptions to published Information Security policies, standards, and guidelines at Washington University in St. Louis (WashU).  

Applicability and Audience

This policy applies to all information resources that are owned, leased, vended, contracted, or operated by the university. This includes hardware, software, systems, and data. This excludes personally owned devices.  

This policy applies to all members of the WashU Community, including faculty, staff, students, and any agent of the university with access to WashU information and networks for contracted services. This includes, but is not limited to partners, affiliates, contractors, temporary employees, trainees, guests, and volunteers.  

Information Security Roles and Responsibilities (100.01)

Policy

114.00 Introduction

The WashU Office of Information Security (OIS) policy and standards library follows recommendations published by organizations such as the National Institute of Standards and Technology (e.g., NIST CSF, SP 800-53). The purpose of the OIS policy and standards library is to meet regulatory, state, federal, and industry requirements and ensure the ongoing Confidentiality, Integrity, and Availability (CIA) of WashU information resources. WashU recognizes objectives and technology needs for the departments and schools may be additionally impacted by compliance requirements.  

In limited circumstances, a department, school, or WashU Community member may request to waive an information security requirement (e.g., using WashU 2FA for authentication) if compliance with published policies and standard is not feasible or practical. 

114.01 Preparing an Exception Request

A department, school, or WashU Community member that is not able to meet the requirements stated in OIS policies and standards will submit a policy exception request form that includes the following information:  

  • An explanation of why compliance is not feasible or practical 
  • Impacted systems 
  • Classification of data, information, and systems involved 
  • Impacted end users  
  • A description of technical capabilities that will be hindered by compliance with published policies
  • The duration of the requested exception 
  • Suggestions of compensating security controls that may be applied 
  • A description of the department, school, or individual’s plan for meeting any applicable compliance requirements.  

Completion of the form may require assistance from the supporting IT department, Data Owner, and System Owner.  

114.02 Processing Exception Requests

OIS will perform a risk assessment after receiving the completed request forms, diagrams, and reference material from the requestor. Final assessment reports are returned within two to three weeks. If this timeline will not be achieved, OIS will provide an updated timeline.  

Exception requests are reviewed on a case-by-case basis. Following Policy 105: Information Security Risk Management, the OIS will qualitatively assess the possible impact or harm to the university that could arise because of the exception. Exception requests that pose unacceptable or unmitigated risk to the university may not be approved or implemented. Exception requests for the purpose of convenience or personal preference will not be approved.  

Exceptions that pose a high risk for the university will be escalated to the Chief Information Security Officer (CISO) for review. The CISO may request additional information from the department, school, or WashU Community member and may work with executive leadership to determine a final resolution.  

114.03 Implementing and Reviewing Exceptions Granted

Exception requests involving the reduction of security controls and/or settings will not be implemented until the exception has been reviewed and approved by the OIS. Additional change control policies and procedures may apply.  

The OIS may change the exception status at any time due to a security incident or a change to the risk posed to WashU information, network, or systems.  

The OIS will review granted exceptions annually at a minimum to determine whether the exception is still appropriate.  The OIS will document the results of the review.  

Policy Compliance

The Office of Information Security (OIS) will evaluate compliance with this policy using various methods, including reports, internal and external audits, and feedback to the policy owner. If compliance with this policy is not feasible, technically possible, or practical users should request an exception from the OIS. Exceptions to this policy must be approved by the OIS in advance. Non-compliance will be addressed with management, Area Specific Compliance Office, Human Resources, or the Office of Student Conduct. 

Internal Audit will independently review logical and physical controls, reporting findings and recommendations to senior management and the Board of Trustees. 

Policy 105: Information Security Risk Management  

References

National Institute of Standards and Technology (2018) Cybersecurity Framework 

National Institute of Standards and Technology (2020) Special Publication 800-53: Security and Privacy Controls for Information Systems and Organizations, Rev. 5 

Policy Review

This policy will be reviewed by the OIS at a minimum of every three years.   

Policy Number and Title: 114 Information Security Exceptions  

Owner: Office of Information Security 

Approved By: Cyber Security Executive Advisory Committee

Original Approval Date: 10/8/2024

Current Version Publication Date: 11/8/2024