to the Office of Information Security
Security Policy Exception
Policy exceptions are outlined in the University Policy AD95 and the Standard – “Requests for Exception to Information Security Policy.” This Standard provides options in the event the strict application of policy cannot be met with reasonable efforts. Penn State is committed to assisting the University in meeting its objective while appropriately protecting information assets.
WHAT IS A SECURITY POLICY EXCEPTION?
Penn State recognizes that units and individuals at Penn State operate in diverse and complex environments. In the event strict application of the Information Assurance and IT Security Policy and its supporting standards cannot be met with reasonable efforts, Penn State is committed to assisting individuals and units in the completion of their objectives while providing for appropriate protection of institutional information assets.
WHO NEEDS A SECURITY POLICY EXCEPTION?
The most common reasons for exceptions include:
- compliance adversely affects an individual’s or a unit’s ability to accomplish its objectives and another acceptable solution with appropriate protection is available
- the risks of noncompliance are outweighed by the compliance costs, OR
- when immediate compliance would unacceptably disrupt operations.
HOW DO I REQUEST A SECURITY POLICY EXCEPTION?
Please complete this form in ServiceNow to initiate the Security Policy Exception review process.
Specific Questions and Scenarios
- End of Life Operating Systems: If you’d like to request an exception for an End-of-Life Operating System, please use the Service Now form above.
- All other vulnerability exception requests should be sent to firstname.lastname@example.org, or the System Vulnerability and Application Scanning Assignment Group in Service Now, and include the following information at a minimum:
- The IP of the system
- A brief description about the system
- The plugin ID of the vulnerability
- The reason why an exception is needed
- A proposed expiration date for the exception (maximum of two years)
- Any compensating controls already in place
- Enclave exception requests will be vetted by the Consulting and Architecture team, with input by the Compliance and Enterprise Security teams where appropriate, and implemented by the Enterprise Security team. All other exception requests will be vetted and implemented by the Enterprise Security team
- A list of active vulnerability exceptions for your unit is available in the Unit Security Dashboard.
- Other Questions? Please contact the Office of Information Security.