STANDARD FOR POLICY EXCEPTION AND RISK MITIGATION

The University of Texas at San Antonio

Office of Information Technology

Office of Information Security (OIS) Standards

OIS 29 – Standard for Policy Exception and Risk Mitigation

I. STANDARD STATEMENT

While it is the intent of the Office of Information Technology that policies and procedures be adopted by the owners and stewards of information technology resources, there may be occasional exceptions to the application of policy due to technical, operational or administrative issues. In such cases the exception must be registered, the risk must be evaluated, mitigated, and documented, and then formal approval must be obtained. The department requesting the exception must manage the risk(s) resulting from the exception.

II. RATIONALE

This standard supports HOP Policy 8-12 Information Resources Use and Security Policy

III. SCOPE

This standard applies to all UTSA faculty, staff, and students.

IV. CONTACTS

If you have any questions about OIS 29 – Standard for Policy Exception and Risk Mitigation contact the following office:

The Office of Information Security

informationsecurity@utsa.edu

V. PROCEDURES  

1. Exception Process
   1. The department requesting the exception must provide the following:
      1. Identification of the applicable policy
      2. Description of the requested exception
      3. The date the exception will start and end
      4. Reason why the policy cannot, or should not, apply
      5. Description of the system impacted and the level of confidentiality of the data impacted
      6. Description of other risks that might occur
      7. Description of how the system will be monitored and the compensating controls that will be established.
2. Requests for exceptions will be submitted to the Information Security Officer electronically by the head or chairperson of the responsible department, after consultation with the technical representative for that department or unit. If the exception is denied, the issue may be escalated to the Vice Provost for Information Technology and CIO. If denied, the issue may be escalated to the Vice Provost for Information Technology and CIO.

______________________________________________________________________________

Effective Date: January 10, 2012

Last Revised: Apr 27, 2020