Information Security Policy Exception Process

Minimum Security Standards

Networked Devices

The Minimum Security Standards for Networked Devices (MSSND) apply to all devices that connect to the campus network, use a berkeley.edu origin address in their electronic communication, or handle UC data. These devices include computers, laptops, phones, printers, gaming consoles, lab equipment, and other networked appliances.

Electronic Information

The Minimum Security Standards for Electronic Information (MSSEI) define the minimum set of security controls for systems used with Institutional Information, and for all campus IT infrastructure and IT services.

Exception Request Process

Use the Information Security Policy Exception form to request an exception.

An exception is required for each device that does not meet minimum security standards. This process and form are also required where campus, regulatory, legal or contract requirements related to information security cannot be met. Exceptions will be granted for a maximum of one year.

Resource Proprietors and Service Providers: If your environments or configurations do not comply with the Minimum Security Standards listed above, you must request an exception using the form linked below. This process can also be used to request an exception from other campus information security requirements.

Personally-Owned Devices: Individuals whose personal device or configurations do not comply with Minimum Security Standards may use this form to submit an exception request to allow the device to connect to (or remain on) the campus network. This category only applies to personal devices not used for University business purposes and that do not contain institutional information.

Annual review is required for exception renewal. Please be aware that all exceptions are temporary, and systems must ultimately be brought into compliance.

Non-compliant systems that pose significant risk to campus resources may face removal from the campus network and/or other take-down action regardless of exception status.

Approvals

Exception requests are evaluated by the Information Security Office (ISO) based on risk and mitigating factors. Approval is based on whether the risks have been adequately addressed. Approval by the Chief Information Security Officer (CISO), a Department or Unit Head with the level of authority that matches the risks identified, and other additional approvals may also be required based on the level of risk the exception represents.

Unit risk acceptance includes acceptance of potential financial loss associated with UC's insurance deductibles. These are based on Protection Level as follows:

$100,000 for incidents involving Institutional Information classified at P4
$40,000 - $75,000 for incidents involving Institutional Information classified at P2 or P3
$20,000 for incidents involving Institutional Information classified at P1

Temporary exceptions may be granted temporary exception while the requester works with ISO to establish a timeline for compliance and implementation of interim mitigating controls.

Escalation: Unapproved requests or expired exceptions may be escalated to the CISO for review via security@berkeley.edu. The CISO will coordinate an IT and/or functional stakeholder review and response. Unresolved compliance issues will be further escalated to the IT Leadership Group, and/or other campus IT Governance and campus enterprise risk bodies, as appropriate.

Getting Help:

If you have questions about the Minimum Security Standards or the exception process, please email security@berkeley.edu

Request Form