Standards & Exception Process

Standards Process

Policy Creation and Approval

University policies are created and approved through a shared governance process. A further description of this process can be found on the Academic Senate, Staff Council and Student Government websites.

Standards Creation and Approval

In 2005, the RIT shared governance organizations approved the Information Security Policy which vested the Information Security Office with the role of leading the RIT community in the creation, approval and implementation of Information Security Standards.

  • Core Teams composed of subject matter experts meet to create draft standards that are supportable and comprehensive.
  • The Information Security Council reviews and approves proposed standards. The Information Security Council is composed of representatives from across the University. The Information Security Council representatives also serve as coordinators in their departments to facilitate the implementation of standards.

Exceptions Process

Anyone not in compliance with an RIT Information Security Standard is subject to sanctions including suspension of computer and network privileges and/or the full range of current university personnel and student disciplinary processes.

In a small number of circumstances, it may not be possible to comply with an Information Security Standard. The Information Security Office has provided the following method for obtaining an exception to compliance with a published information security standard. Exceptions should be approved and signed by the appropriate Information Trustee (VP, Dean, or CIO). (An email endorsing the exception request is acceptable.)

An exception may be granted by the RIT Information Security Office for non‑compliance with a standard resulting from:

  • Implementation of a solution with equivalent protection.
  • Implementation of a solution with superior protection.
  • Impending retirement of a legacy system.
  • Inability to implement the standard due to some limitation.

Exceptions are granted for a specific period of time, not to exceed two years and are reviewed on a case-by-case basis and their approval is not automatic.

The Exception Request should include:

  • Description of the non-compliance
  • Anticipated length of non-compliance
  • Proposed assessment of risk associated with non-compliance
  • Proposed plan for managing the risk associated with non-compliance
  • Proposed metrics for evaluating the success of risk management (if risk is significant)
  • Proposed review date to evaluate progress toward compliance
  • Endorsement of the request by the appropriate Information Trustee (VP, Dean, or CIO).

If the non-compliance is due to a superior solution, an exception will normally be granted until the published standard or procedure can be revised to include the new solution. An exception request should still be submitted.

For questions about exception requests, please email infosec@rit.edu