Security Policy Exceptions
Purdue University Calumet information security policies, standards, guidelines, and procedures institute controls that are used to protect Purdue University Calumet data and IT Resources. While every exception to a policy or standard weakens protection for University IT Resources and underlying data, occasionally exceptions will exist. Centralized and departmental IT units and IT Resource owners who are responsible for ensuring appropriate enforcement of University information security policies and related standards on University IT Resources must use this procedure when requesting an exception to Purdue University Calumet information security policies, standards, guidelines, and procedures.
The following procedure defines the process for the review and approval of exceptions to Purdue University Calumet information security policies, standards, guidelines, and procedures:
- A manager (or their designee) seeking an exception must assess the risks that non-compliance causes Purdue University Calumet IT Resources and business processes. If the manager believes the risk is reasonable, then the manager prepares a written request describing the risk analysis and request for an exception.
NOTE: The only reasons that justify an exception are when compliance adversely affects business objectives or when the cost to comply offsets the risk of non-compliance.
The risk analysis includes:
- Identification of the threats and vulnerabilities, how likely each is to occur and the potential costs of an occurrence.
- The cost to comply.
- Submit the request for exception to the Vice Chancellor for Information Services, or his or her designee. The Information Services Security group will gather any necessary background information and make a recommendation to approve or deny the request. This group may recommend that other areas such as Data Steward(s), Departmental Computing Managers, and/or Internal Audit review certain decisions.
- The Vice Chancellor for Information Services, or his or her designee, will approve or deny the request for an exception.
- The requesting manager will be notified of the decision to approve or deny.
- All requests for exception will be retained by The Office of Information Services.
- Exceptions are valid for a one-year period. Annually, The Assistant Director for Information Security and Assurance will send a copy of approved exceptions back to the requesting manager who must determine whether the conditions that justified the original exceptions are still in effect. If the conditions have substantially changed, a new request for exception must be submitted. Where little has changed, the review process may be shortened as recommended by the Vice Chancellor for Information Services, his or her designee, and/or The Assistant Director for Information Security and Assurance