Summary
When a device doesn’t meet campus information security requirements, it poses a risk to all other devices on the network. Campus information security requirements are designed to protect our systems and data. Anything that doesn’t meet these requirements may face removal from the campus network if it poses a significant risk.
If you – or your department/unit – have a device or IT service that can’t meet campus information security requirements but must remain on the network, you should request a policy exception to avoid it being blocked unexpectedly.
Please be aware that all exceptions are temporary, and systems must ultimately be brought into compliance.
Process
All exception requests are reviewed by the Information Security Office (ISO). Approval is based on whether the risks have been adequately addressed. ISO can also help you with the process and recommend options so your device/service can stay on the network.
The steps associated with the Information Security Policy Exception process are:
-
Complete a policy exception request form (links below).
-
The request is reviewed by the Information Security Office and approved, alternatives proposed, or escalated.
-
You should hear back from an information security analyst within a week.
-
Escalation Process: Exception requests that pose a greater risk than the Information Security Office can accept are escalated to the Department or Unit Head. Additional approvals may also be required based on the level of risk the exception represents.
Request Forms
-
Request Form for Personally Owned Devices - only for devices not used for University business purposes and not containing Institutional Information
Additional information
For detailed information, please see Request an Information Security Policy Exception