Request an Information Security Policy Exception

Exception Requests 

Resource Proprietors and Resource Custodians who believe their environments require configurations that do not comply with the Minimum Security Standards (see below) or whose environments do not currently comply with Minimum Security Standards must request an exception.  An exception is required for each control that is not met. (Multiple devices can be covered by a single request, but each request can only cover one control, e.g., a request for an exception to control 2.1: Managed software inventory may list multiple servers, but a separate request is required if those servers are also not in compliance with control 3.1: Secure device configurations).

Exception requests are evaluated by the Information Security Office for risk and mitigating factors. We may grant a temporary exception while working with the requester to establish a timeline for compliance and implementation of interim mitigating controls, or may approve an exemption for atypical systems with appropriate alternative controls.

Non-compliant systems that pose a significant risk to campus resources may face removal from the campus network and/or other take-down action. Unapproved requests or expired exceptions may be escalated by ISO, the Resource Proprietor, or the Resource Custodian to the IT Policy Office (itpolicy@berkeley.edu) for review. IT Policy will coordinate an IT and/or functional stakeholder review and response. Unresolved compliance issues will be further escalated to the IT Leadership Group, and/or other campus IT Governance and campus enterprise risk bodies, as appropriate.

If you have questions about the Minimum Security Standards or the exception process, please email security@berkeley.edu.

Minimum Security Standards

Networked Devices

The Minimum Security Standards for Networked Devices (MSSND) apply to all devices that connect to the campus electronic communications network or use a berkeley.edu origin address in their electronic communication. These devices include computers, printers, gaming consoles, and other networked appliances.

Electronic Information

The Minimum Security Standards for Electronic Information (MSSEI) define the minimum set of confidentiality controls for systems handling Protection Level 1 and Protection Level 2 data as defined in the Berkeley Data Classification Standard.

Request Form

Use this form to submit an exception request: Information Security Policy Exception Request Form

Quick Links

Report a Security Incident 
How to report Security Incidents such as an intrusion, breach, and computer/network misuse

Respond to a Security Notice ⇢
How to respond if  you have received a security notice from the Information Security Office

Report a Stolen or Lost Device ⇢
Steps to take if your laptop, tablet, or phone has been stolen or lost

Request a Policy Exception ⇢
Instructions to request an exception to the campus minimum security standards

Submit an Off-Site Hosting Request(link is external) ⇢
Request to host data services off-campus with a third-party service provider