Information Security Policy Exception Process
Last Updated: August 15, 2024 9:21:54 AM PDT
Give feedback
Procedures and Guidance for Requesting IT Policy Exceptions
University of California’s systemwide Information Security Policy, IS-3, requires that systems and data not able to meet the requirements of the policy and its associated standards receive an approved exception from the policy. These exceptions must be requested on behalf of the unit within which the system exists.IS-3 states,
“Units must follow a risk-based approach when requesting an exception to the controls specified in Part III, Sections 7 to 18. Exception requests must be submitted to the CISO and follow the Location-approved exception process. Units requesting an exception must explain:At UC San Diego, exception requests will be reviewed by the campus Chief Information Security Officer (CISO)* as required by IS-3, and if approved by the CISO, approval will be sought from the Unit Head*, with the following outcomes and contingencies:Some exceptions require compensating controls. These exceptions are:
- Why the exception is needed.
- The duration of the exception request.
- How any proposed compensating controls mitigate security risks that this policy would otherwise address.
- Obligations created by an agreement, regulation or law.
- When Institutional Information classified at Protection or Availability Level 3 or higher is involved (see Section 8: Asset Management and Classification for level details).
- When IT Resources classified at Protection or Availability Level 4 are involved.
Units may also provide a cost benefit analysis when requesting an exception.”
- If the risk introduced by the request is restricted to the unit, approval will then be granted.
- If any unmitigated risk due to the exception exceeds $100,000 or if individuals or university functions outside of the unit remain at risk, approval will also be required of the campus cyber responsible executive* (CRE).
- Note that other relevant subject matter stakeholders or campus administrators may be consulted as appropriate during the review process.
Requesting an Exception
Please compose an email with the details of the exception including- The policy element or control for which an exception is being requested
- Why the exception is needed
- The duration the exception is being requested
- Any compensating measures put into place to mitigate the risk of not meeting policy requirements
Exception Guidance
It is strongly recommended that you consult with your unit’s IT support staff before requesting an exception. Typically they will work with you to place satisfactory mitigation measures in place to reduce or eliminate risk from non-compliance with IS-3.You are also encouraged to contact the Office of Information Assurance (security@ucsd.edu) with questions and for a consultation. Faculty may also avail themselves of the IT Services Research IT team (research-it@ucsd.edu).
Exception requests are intended to address significant areas of risk and are not required for low-risk issues. If you are unsure of whether your situation requires an exception, please contact the Office of Information Assurance at security@ucsd.edu.
Please note
- PCI (systems involved with credit card handling) must comply with campus PCI policy and PCI data security standards. Exceptions will not be entertained.
- HIPAA related issues should be directed to the UC San Diego Health security office at HS-InformationSecurity@AD.UCSD.EDU.
Responsible Individuals*
- Unit heads: for the purposes of IS-3, unit heads are the Vice Chancellors for their respective domains. Within the portfolio of the EVC, the Academic Deans are the unit heads for their academic divisions, as are the heads of major units such as SDSC, HDSI, and the Qualcomm Institute.
- The CISO is Arlene Yetnikoff (ayetnikoff@UCSD.EDU)
- The CRE is Vice Chancellor-Chief Financial Officer Pierre Ouillet.