Service Alerts

Security Exception Reporting Process

UT Seal

Effective Date: January 01, 2006

Purpose

Scope

Description

Process

Last Edited: September 14, 2007

See the change log for a list of significant changes made to this document.

I. Purpose

This reporting process serves as a supplement to The IT Security Operations Manual, The University of Texas at Austin’s implementation of UT System UTS-165. Adherence to the process will increase the security of systems and help safeguard university information technology resources.

It is the intent of the Information Security Office (ISO) that all owners and custodians of information technology resources adopt university IT security policies and procedures. However, there will be situations where the strict application of a policy would significantly impair the functionality of a service and the policy or procedure must be modified to accommodate specific requirements. This process provides a method for documenting an exception to compliance with a published university security policy or procedure.

II. Scope

This process applies to all published university information security standards and procedures. This process does not apply to specific department standards or procedures.

III. Description

An exception to a published policy or procedure may be granted in any of the following situations:

  • Temporary exception, where immediate compliance would disrupt critical operations.
  • Another acceptable solution with equivalent protection is available.
  • A superior solution is available. An exception will be granted until the solution can be reviewed, and standards or procedures can be updated to allow the better solution.
  • A legacy system is being retired (utilize a process to manage risk).
  • Lack of resources.

IV. Process

The IT owner must approve all exceptions to university policy. The Information Security Office is available for assistance at all stages of this process.

After approving an exception, the IT owner or their designee must submit an Exception Request to the Information Security Office using the online Security Exception Request Form.

The Security Exception Request must include:

  • Description of the non-compliance
  • Anticipated length of non-compliance
  • Assessment of risk associated with non-compliance
  • System(s) associated (for example, host names or IP addresses)
  • Data Classification Category(s) of associated system(s)
  • Plan for alternate means of risk management
  • Metrics to evaluate success of risk management (if risk is significant)
  • Review date to evaluate progress toward compliance

The Information Security Office may report exceptions to university Information Security Policies to university compliance officials, as described in the IT Security Operations Manual.