Information Security Standard Exception Request

Use this service to request an exception to required standards published by the Information Security Office (ISO). 

The Information Security Office (ISO) is charged with protecting the university’s data and information assets and does so through the Information Security Policy and Information Security Program. As such, the ISO has issued standards and controls that must be followed by all university owned information systems. Exceptions to the Information Security Program are not intended to be permanent, the exception process is intended to give time to the requester to implement a control or standard, or in some cases implement alternate, equivalent compensating controls. 

In general, an exception to a published IT/information security policy, standard or practice may be granted in any of the following situations: 

  • Temporary exception, where immediate compliance would disrupt critical business operations 
  • Another acceptable solution with equivalent protection is available 
  • A superior solution is available 
  • A legacy system is being retired and compliance is not possible (risk must be managed) 
  • Long-term exception, where compliance would adversely impact university business 
  • Compliance would cause a major adverse monetary impact that would not be offset by the reduced risk occasioned by compliance (i.e., the cost to comply offsets the risk of non-compliance)

When an exception to a standard is granted, the responsible unit will accept the risks the exception represents to the university. As such, you must consider the following: 

  • Depending on the nature of the exception, the University’s Cyber Liability Insurance policy may not cover incidents or compromises directly resulting from the exception. (i.e., If the decision not to encrypt a computer is made, and the records are stolen, external regulations may dictate fines or other penalties be levied.  In this case, your department may be liable.) 
  • How sensitive is the information processed? If the information is High Risk, your exception request may be denied.  
  • Are there compensating controls proposed or used? 

For more information, see the Information Security Office Policies, Procedures, and Standards web page.

How to Create a Ticket

To request an exception click Create a Ticket (top right of the page) and provide the following required information.

  1. Standard
  2. Why can't the standard be followed? If disability-related, please do not share confidential medical information when explaining challenges.
  3. Duration of the exception request (1, 2, 3, 6, or 12 months)
  4. Top-level Administrator (TLA) or their designee is the head of the college, department, or unit (e.g., Vice Provost/Vice President/Dean/Department Head)
  5. Mitigating controls being put in place to manage the security posture of the University computing and information resource
  6. Attach any supporting documents

Availability and Access

Current UO affiliation
 
You can expect the exception to be reviewed within 10 business days.

Questions

If you have any additional questions contact infosec@uoregon.edu

[back to top]

 
Request Exemption

Related Articles (4)

Information Security recommendations before, while, and after returning from traveling abroad
List of recommendations for users planning to travel abroad with computing resources.
Personal Computer Security Guidelines for macOS
Security best practices and guidelines for personally owned computers running the macOS operating system.
SSL Certificates
Info on SSL certificates.
Systems and Applications Lifecycle Management Procedure
Security best practices and the campus Minimum Information Security Controls Standard require using supported software to ensure timely security updates. Unsupported software must be upgraded or removed, and it's essential to monitor your applications' and operating system's "end of life" status to plan for necessary upgrades.