UCI   Office of Information Technology

UCI Information Security
  1. Home
    2.  » 
  2. UCI Information Security Management Program
    3.  » Exception Process

Exception Process

An exception request will need to be on file for compliance deviations impacting Institutional Information and IT Resources classified as Critical IT Infrastructure, Protection Level 3 and 4 and as Availability level 3 and 4.

Compliance deviations can come from:

    • UCI Information Security Standards
    • UC Information Security Policy, IS-3
    • Applicable security requirements of laws, governmental regulations, agreements, grants, contracts, or external obligations.

 

Exception Request Form:

Download the following form to create an exception request. Once the form is completed submit the request to securityrisk@uci.edu

 

Exception Request Process

Step 1: Fill out the security exception request form

    • The Unit Information Security Lead (UISL) or delegate must submit the request to OIT Security. 
    • Exception requests cannot have an expiration date beyond 1 year.
    • Signatures are not expected to be captured in this step of the request process.

 

Step 2: Submit the exception request form to securityrisk@uci.edu

    • Once the request is sent, OIT Security will review the request. If additional information is needed, OIT Security will reach out to the requestor and UISL.

 

Step 3: Chief Information Security Officer (CISO) or delegate reviews the request:

    • CISO identifies the risk accepter who is a Unit Head with the level of authority that matches the risks identified, and any other individuals who may need to approve the request.
    • CISO has the ability to:
      • Grant the exception request as submitted.
      • Grant the exception request with added modifications.
      • Reject the exception request.

 

Step 4: Requestor and UISL share and discuss the exception request with the identified risk accepter.

    • Unit acceptance includes acceptance of risks and potential financial loss.
      • If cyber insurance applies then the Unit is responsible for the UC cyber insurance deductibles.
      • If cyber insurance doesn’t apply then the Unit is fully financially responsible for the total incident cost.

 

Step 5: Notify OIT Security that the risk accepter has agreed to formally sign and accept the risk and is ready to sign-off on the exception.

    • OIT Security will setup an electronic form to collect digital signatures.
    • Once all signatures are complete, the final document is archived with the associated asset in the campus ITRM/GRC tool.