Use this service to request an exception to required standards published by the Information Security Office (ISO).
The Information Security Office (ISO) is charged with protecting the university’s data and information assets and does so through the Information Security Policy and Information Security Program. As such, the ISO has issued standards and controls that must be followed by all university owned information systems. Exceptions to the Information Security Program are not intended to be permanent, the exception process is intended to give time to the requester to implement a control or standard, or in some cases implement alternate, equivalent compensating controls.
In general, an exception to a published IT/information security policy, standard or practice may be granted in any of the following situations:
- Temporary exception, where immediate compliance would disrupt critical business operations
- Another acceptable solution with equivalent protection is available
- A superior solution is available
- A legacy system is being retired and compliance is not possible (risk must be managed)
- Long-term exception, where compliance would adversely impact university business
- Compliance would cause a major adverse monetary impact that would not be offset by the reduced risk occasioned by compliance (i.e., the cost to comply offsets the risk of non-compliance)
When an exception to a standard is granted, the responsible unit will accept the risks the exception represents to the university. As such, you must consider the following:
- Depending on the nature of the exception, the University’s Cyber Liability Insurance policy may not cover incidents or compromises directly resulting from the exception. (i.e., If the decision not to encrypt a computer is made, and the records are stolen, external regulations may dictate fines or other penalties be levied. In this case, your department may be liable.)
- How sensitive is the information processed? If the information is High Risk, your exception request may be denied.
- Are there compensating controls proposed or used?
How to Create a Ticket
To request an exception click Create a Ticket (top right of the page) and provide the following required information.
- Standard
- Why can't the standard be followed? If disability-related, please do not share confidential medical information when explaining challenges.
- Duration of the exception request (1, 2, 3, 6, or 12 months)
- Top-level Administrator (TLA) or their designee is the head of the college, department, or unit (e.g., Vice Provost/Vice President/Dean/Department Head)
- Mitigating controls being put in place to manage the security posture of the University computing and information resource
- Attach any supporting documents
Availability and Access
Current UO affiliation
You can expect the exception to be reviewed within 10 business days.
Questions
If you have any additional questions contact infosec@uoregon.edu
[back to top]