Policy or Standard Exception Requests are a process to temporarily recuse an individual or organization from meeting the items defined by policy or standards. They are meant to assist areas in defining compensating controls until the area can comply with the policy or standard. It also provides a way for the organization to have an external set of eyes to review the affected area and determine if a compensating control is adequate.
All exception requests must be submitted via the Exception Request Form. All fields, with the exception of “Additional Information” must be filled out. The form, once submitted, will be sent to the Information Security Office for review.
The ISO meets monthly, typically the first Thursday of each month. At that time, the exception submitted will be reviewed. If there are no additional questions by persons in the ISO, the request will be approved or denied. If there are additional questions, it will be assigned to an ISO member to contact the person who submitted the form for clarification. Depending on the amount of clarification needed, the exception may not be approved or denied until the next ISO meeting.
Each exception will be subject to a review of no less than annually.
Once the decision is made regarding the status, a form will be sent to the requestor and the supervisor indicated on the request. The ISO will send this form within three business days by email. This form must be retained for the period that the exception is valid. This form will assist in the event that you are being audited by Internal Audit.
The organization that requested the exception must notify the ISO in the event that the exception is no longer needed. If the circumstances for an approved or requested exception change, a new request must be submitted via the form.