Information Security

Exception Requests FAQ

Q1. What is an exception? 

As defined by the Integrated California State University Administrative Manual (ICSUAM) 8020.S000:  “A campus may decide to allow exceptions to CSU or campus policies, standards or practices. Campuses must develop criteria for determining the organization with authority to approve an exception (i.e. manager, ISO, CIO, data owner, or combination of personas appropriate). Exceptions may be granted when the campus decides, after a risk assessment, that there are adequate compensating controls. When adequate compensating controls do not exist, the campus must follow it’s risk management process to ensure that the exception is approved by an appropriate Vice-President or other campus administrator with fiscal responsibility for addressing the result of risk acceptance.When a campus grants an exception or accepts a risk, it must comply with the following minimum standards to identify, monitor and periodically review the exception.”

Q2.  What are the requestable exception types?

  Exceptions to CSU, campus or identified IT audit findings may be granted for:

  1. Border firewall rules
  2. Centralized computer management
  3. Local administrator rights on computers
  4. Remote desktop access to workstations or servers
  5. Access to restricted network segments (VLANs or internal firewall rules)
  6. Permission to install sensitive Level 1 applications or data storage on mobile devices
  7. Minimum server security standards (unpatchable software, expired software)
  8. Shared accounts (kiosk computers, labs)

Q3.  How do I request an exception?

The exception request process begins with submitting a General Security Exception ticket:

This ticket request will be reviewed by the Information Security team and a security exception form will be returned to you as an attachment to the ticket request.  The form will be customized for your specific exception request.

Q4.  What signatures will be required on the exception form?

Depending on which exception is being requested, a short or long form will be returned to you for signature(s).  Some exceptions only require your and your department chair or manager signatures and acknowledgement of the risk and the compensating controls or adherence to campus IT security policies you will be following.  Exceptions being requested that pose high risk to the University will require acknowledgement of the risk, compensating controls and adherence to campus IT security policies in addition to department acceptance of any cost associated with a data breach and three levels of signatures will be required (requestor, dept head, division VP).

Q5.  How long does the exception request take?

Depending on the risk to the University, some requests may be completed within 2-3 business days after ticket submittal or may take a few weeks if division vice presidents need to sign for the exception.  The time may also vary depending on the type of exception being requested and if other IT teams (ITSS, Network Operations, etc) are required to complete the work. 

Q6.  Who grants the exception?

The campus Information Security Officer or designee will review all exception ticket requests, perform the risk assessment and communicate to the requestor the progress of the review process.  When the exception is granted by the ISEC office, the exception is not in effect until the exception form signatures are in place.