Skip to content. | Skip to navigation

Advanced Search…
Personal tools
You are here: Home Policies and Standards ISO ISO PS004 Policy Exception Management Process

ISO PS004 Policy Exception Management Process

Policies and Standards
ISO PS004 Policy Exception Management Process
[Previous]  [Next]  [Policy Home]

Policy Name: Policy Exception Management Process
Policy Number: IS PS004
Effective Date: July 23, 2007
Review Date: July 23, 2008
Last Revision Date: July 23, 2007
Last Revision By: Bruce W. Edwards
Contact Name: Bruce W. Edwards
Contact Email: ISOPolicy@louisville.edu
Approved By: Compliance Oversight Council
Version: 1.0

POLICY:

Information security concerns such as regulatory, compliance, confidentiality, integrity and availability requirements are most easily met when University constituents employ centrally supported or recommended technologies. The university understands that centrally supported or recommended technologies are not always the preferred choice of a specific school, division or other university sub-division. Deviation from centrally supported or recommended technologies is discouraged. However, it may be considered provided that the alternative presents a reasonable, justifiable business and/or research case for an information security policy exception; resources are sufficient to properly implement and maintain the alternative technology; the process outlined in this and other related documents is followed and other University Policies and Standards are upheld.

Note: The purpose of this policy is to allow University entities the ability to do what is needed to further their area's mission while, at the same time, have reasonable assurance that solutions adopted are in compliance with applicable laws, regulations and University requirements.

STANDARDS:

Administrative Standards

The School, Department or other entity desiring a policy or standard exception will be, except for minor approved exception request, guided through an assessment methodology that clarifies direct and indirect costs associated with the alternative technology; including technical, physical and administrative requirements consistent with laws, regulations, university policy, risk being assumed and the regulatory climate at large by using the "Policy Exception Management Template" (see below).

1. Preliminary:

  • Prior to completion of the Policy Exception Management Template the basic request should be sent via the web form located at http://security.louisville.edu/PolStds/ISO/policy-exception-initial-request/.

    Note: Minor exceptions due to isolated circumstances may be able to be adequately accounted for by this form and the Policy Exception Management Template will not be required.
  • After the basic information is received via the web form it will be reviewed. The submitter will then be notified of the next step.

2. If instructed to do so, the Policy Exception Management Template must be fully completed, including:

  • Approval signature of appropriate level of university management for the level of potential risk being assumed (this may be a Department Chair, a Director, Dean, Vice President, the Provost or the President).
  • Business and/or research case section which contains:
    • Description of technology and its application.
    • Information on why IT supported or recommended technology does not meet requirements including IT discussion.
    • Suggestions on what a viable central IT supported solution would look like.
    • Implementation and maintenance costs including both initial and on-going costs for required licenses, hardware, software, infrastructure, training and procedural documentation, administrative and support personnel, temporary consultants, disaster recovery, back-up, business continuity, and identified funding to support the technology during the technology's projected life cycle.
  • Data Sensitivity Assessment:
    • Data definition.
    • Expected users of the data (faculty, staff, research, students, clinical, etc.).
    • Data access restriction requirements due to laws/regulations (HIPAA, FERPA, PCI, NIH requirements, other laws or regulations, etc.), general privacy or proprietary/intellectual property concerns, University policy and/or prudent practice (this may be completed in conjunction with the Information Security Office).
    • Security methodology for managing this data and access to include logical security via the operating system, database, application and other means, as applicable, as well as physical security of hardware and other related infrastructure.
  • Implementation Plan
    • Project implementation plan and resources, timeline devoted to implementation.
  • Maintenance Plan
    • Plan and resources devoted to on-going maintenance, administration, user training and contingencies.

Note: The Policy Exception Management Template can be found in the Resources > Forms section of the ISO web site located at: http://security.louisville.edu/Resources/Forms/Forms.html.

3. Documentation is submitted to the Review Committee

  • Committee includes representation from the Information Security Office (ISO), Academic Technology Committee (ATC) and Information Technology (IT) as well as, in an advisory capacity, Audit Services. Note: The Committee may seek additional business and/or research advisory expertise.
  • Risk Acceptance Document
    • The Committee will complete a Risk Acceptance Document for the responsible entity. This document will overview the risks being assumed by the entity. This form will also document, based on the committee's assessment of the entity's documentation (as described above) if the proposal is approved for implementation.
    • The Risk Acceptance Document must be accepted, approved and signed-off by the appropriate Dean or Vice President. This approval documents that the entity management is aware of the risks inherent in the project and system, accepts them and will use entity resources to maintain the system and mitigate any risk events that may arise. Note: Depending on the scope and impact of the project, approval of the Provost and/or the President of the University may be required.
      Note: For reference, the Risk Acceptance Document can be found in the Resources > Forms section of the ISO web site located at: http://security.louisville.edu/Resources/Forms/Forms.html.
  • Barring exceptional circumstances and given a proposal that is thorough and complete, the review committee will review and assess the proposal within 30 days of receipt.
  • If approved, entity proceeds with implementation. Subject Matter Expert (SME) from IT will monitor implementation for adherence to plan or appropriate changes. If implementation proceeds as planned, technology is allowed to go into production.
    Note: The SME is not the project manager.
  • If implementation can not proceed according to plan, entity can correct any deficiencies or seek alternative solutions.

4. Future review or audit

  • Audit Services, ISO, the University Compliance Office, IT or University Management may at future date review technology for continued adherence to plan, security, etc.

SCOPE / APPLICABILITY:

All persons while conducting/performing work, teaching, research or study activity or otherwise using University resources. Scope/Applicability also includes all facilities, property, data and equipment owned, leased and/or maintained by the University or affiliates.

POLICY AUTHORITY / ENFORCEMENT:

The University's Information Security Officer (ISO) is responsible for the development and oversight of these policies and standards. The ISO works in conjunction with University Leadership, Information Technology, Audit Services and others for development, monitoring and enforcement of these policies and standards.

POLICY REVIEW:

This policy will be reviewed annually to determine if the policy is in compliance with the applicable security regulations and University direction. In the event that significant regulatory changes occur, this policy will be reviewed and updated as needed.

COMPLIANCE:

Failure to comply with these policies and standards and/or any related information security and/or information technology policy, standard or procedure may result in disciplinary action up to and including termination of employment, services or relationship with the University and/or action in accordance with local ordinances, state or federal laws.

REVISION HISTORY:

Version / Revision Date / Description

1.0 / July 23, 2007 / Original Publication

This policy is subject to change or termination by the University at any time. This policy SUPERSEDES all prior policies, procedures or advisories pertaining to the same subject.

Approved July 23, 2007 by the Compliance Oversight Council
Shirley C Willihnganz, Executive Vice President and University Provost, Chair of the Compliance Oversight Council

 [Next]

Document Actions

10/27/2008
University of Louisville Selects GuardianEdge to Protect Sensitive Data for Faculty, Staff, Doctors and Researchers

  • GuardianEdge, the leader in enterprise endpoint data protection, today announced that the University of Louisville has selected the GuardianEdge Hard Disk Encryption, Smartphone Protection and Device Control solutions to safeguard data for faculty and staff, doctors and researchers. [Click here for more information]

10/20/08
Fourth Annual Cyber-Security Awareness Week was a BIG Success!

08/25/08
Safe computing starts with knowing the rules of the road (InfoSec Bulletin #7 - August 25, 2008)

08/20/07
Information Security Policies
and Standards Approved: