Exception Process and Compliance
In a small number of circumstances, it may not be possible to comply with an Information Security Standard. The Information Security Office has provided the following method for obtaining an exception to compliance with a published information security standard. Exceptions must be approved and signed by the President, a VP or Dean.
An exception MAY be granted by the RIT Information Security Office for non‑compliance with a standard resulting from:
- Implementation of a solution with equivalent protection.
- Implementation of a solution with superior protection.
- Impending retirement of a legacy system.
- Inability to implement the standard due to some limitation
Exceptions are granted for a specific period of time, not to exceed one year and are reviewed on a case-by-case basis and their approval is not automatic.
The Exception Request must include:
- Description of the non-compliance
- Anticipated length of non-compliance
- Proposed assessment of risk associated with non-compliance
- Proposed plan for managing the risk associated with non-compliance
- Proposed metrics for evaluating the success of risk management (if risk is significant)
- Proposed review date to evaluate progress toward compliance
- Endorsement of the request by the appropriate Information Trustee (VP or Dean).
If the non-compliance is due to a superior solution, an exception will normally be granted until the published standard or procedure can be revised to include the new solution. An exception request must still be submitted.
- Information Security Exception Process
- Information Security Exception Request Form (PDF)
- Information Security Exception Request Form
The Exception Request Form must be submitted to the Information Security Office, firstname.lastname@example.org, Ross Building 10-A200.