Type of Request
Is this exception request regarding a particular system/service, or is it regarding a network range? (Select One)
The Exception Process
The Urbana Campus Administrative Manual charges the Urbana Campus CIO with reviewing requests for exceptions to information security policy. The Urbana CIO has designated the Chief Privacy and Security Officer and by extension, the Office of Privacy and Information Security as the clearinghouse for all security policy exception requests.
Once the exception request is submitted via this form, it will be evaluated for risk as deployed, including any mitigating controls, and a Risk Acceptance form will be provided to the requestor.
The requestor will have it signed by the unit's chief executive business officer authorized to commit budgetary resources toward the costs associated with a security incident (i.e. Dean, Vice Chancellor, or another authorized individual designated on their behalf).
The form is then returned to the Privacy and Security Office.
(Email approval will also be accepted if it comes directly from the email account of the approving officer and not through an intermediary.)
After the signed Risk Acceptance is received, Privacy and Security will notify campus Network Engineering, who will create a firewall rule to permit the traffic.
Please complete the information on the following pages to enable assessment of the risks associated with the request.
Campus Policy Governing Exceptions to Information Security Policy
In certain cases, compliance with specific policy requirements may not be immediately possible. Reasons include, but are not limited to, the following:
- Required commercial or other software in use is not currently able to support the required features;
- Legacy systems are in use which do not comply, but near-term future systems will be in compliance, and are planned for;
- Costs for reasonable compliance are disproportionate relative to the potential damage.
In such cases, units must develop a written explanation of the compliance issue and a plan for coming into compliance with the University's Information Security Policy in a reasonable amount of time. Explanations and plans must be submitted to the campus CIO or the equivalent officer(s).
Source: Campus Administrative Manual (http://cam.illinois.edu/viii/VIII-1.2.htm)