An exception request will need to be on file for compliance deviations impacting Institutional Information and IT Resources classified as Critical IT Infrastructure, Protection Level 3 and 4 and as Availability level 3 and 4.
Compliance deviations can come from:
-
- UCI Information Security Standards
- UC Information Security Policy, IS-3
- Applicable security requirements of laws, governmental regulations, agreements, grants, contracts, or external obligations.
Exception Request Form:
Download the following form to create an exception request. Once the form is completed submit the request to securityrisk@uci.edu
Exception Request Process
Step 1: Fill out the security exception request form
-
- The Unit Information Security Lead (UISL) or delegate must submit the request to OIT Security.
- Exception requests cannot have an expiration date beyond 1 year.
- Signatures are not expected to be captured in this step of the request process.
Step 2: Submit the exception request form to securityrisk@uci.edu
-
- Once the request is sent, OIT Security will review the request. If additional information is needed, OIT Security will reach out to the requestor and UISL.
Step 3: Chief Information Security Officer (CISO) or delegate reviews the request:
-
- CISO identifies the risk accepter who is a Unit Head with the level of authority that matches the risks identified, and any other individuals who may need to approve the request.
-
- CISO has the ability to:
- Grant the exception request as submitted.
- Grant the exception request with added modifications.
- Reject the exception request.
- CISO has the ability to:
Step 4: Requestor and UISL share and discuss the exception request with the identified risk accepter.
-
- Unit acceptance includes acceptance of risks and potential financial loss.
- If cyber insurance applies then the Unit is responsible for the UC cyber insurance deductibles.
- If cyber insurance doesn’t apply then the Unit is fully financially responsible for the total incident cost.
- Unit acceptance includes acceptance of risks and potential financial loss.
Step 5: Notify OIT Security that the risk accepter has agreed to formally sign and accept the risk and is ready to sign-off on the exception.
-
- OIT Security will setup an electronic form to collect digital signatures.
- Once all signatures are complete, the final document is archived with the associated asset in the campus ITRM/GRC tool.