Resource Proprietors and Resource Custodians who believe their environments require configurations that do not comply with the Minimum Security Standards (see below) or whose environments do not currently comply with Minimum Security Standards must request an exception. An exception is required for each control that is not met. (Multiple devices can be covered by a single request, but each request can only cover one control, e.g., a request for an exception to control 2.1: Managed software inventory may list multiple servers, but a separate request is required if those servers are also not in compliance with control 3.1: Secure device configurations).
Exception requests are evaluated by the Information Security Office for risk and mitigating factors. We may grant a temporary exception while working with the requester to establish a timeline for compliance and implementation of interim mitigating controls, or may approve an exemption for atypical systems with appropriate alternative controls.
Non-compliant systems that pose a significant risk to campus resources may face removal from the campus network and/or other take-down action. Unapproved requests or expired exceptions may be escalated by ISO, the Resource Proprietor, or the Resource Custodian to the IT Policy Office (firstname.lastname@example.org) for review. IT Policy will coordinate an IT and/or functional stakeholder review and response. Unresolved compliance issues will be further escalated to the IT Leadership Group, and/or other campus IT Governance and campus enterprise risk bodies, as appropriate.
If you have questions about the Minimum Security Standards or the exception process, please email email@example.com.
Minimum Security Standards
The Minimum Security Standards for Networked Devices (MSSND) apply to all devices that connect to the campus electronic communications network or use a berkeley.edu origin address in their electronic communication. These devices include computers, printers, gaming consoles, and other networked appliances.
The Minimum Security Standards for Electronic Information (MSSEI) define the minimum set of confidentiality controls for systems handling Protection Level 1 and Protection Level 2 data as defined in the Berkeley Data Classification Standard.
Use this form to submit an exception request: Information Security Policy Exception Request Form