Security Policy Exception
Policy exceptions are outlined in the University Policy AD-95 and the Standard, “Requests for Exception to Information Security Policy.” This Standard provides options in the event the strict application of policy cannot be met with reasonable efforts. Penn State is committed to assisting the University in meeting its objective while appropriately protecting information assets.
What is a Security Policy Exception?
Penn State recognizes that units and individuals at Penn State operate in diverse and complex environments. In the event strict application of the Information Assurance and IT Security Policy and its supporting standards cannot be met with reasonable efforts, Penn State is committed to assisting individuals and units in the completion of their objectives while providing for appropriate protection of institutional information assets.
Who needs a Security Policy Exception?
The most common reasons for exceptions include:
- compliance adversely affects an individual’s or a unit’s ability to accomplish its objectives and another acceptable solution with appropriate protection is available
- the risks of noncompliance are outweighed by the compliance costs, OR
- when immediate compliance would unacceptably disrupt operations.