Services

Information Security

Security Policy Exception

Policy exceptions are outlined in the University Policy AD95 and the Standard – “Requests for Exception to Information Security Policy.” This Standard provides options in the event the strict application of policy cannot be met with reasonable efforts. Penn State is committed to assisting the University in meeting its objective while appropriately protecting information assets.

what

WHAT IS A SECURITY POLICY EXCEPTION?

Penn State recognizes that units and individuals at Penn State operate in diverse and complex environments. In the event strict application of the Information Assurance and IT Security Policy and its supporting standards cannot be met with reasonable efforts, Penn State is committed to assisting individuals and units in the completion of their objectives while providing for appropriate protection of institutional information assets.

 

who

WHO NEEDS A SECURITY POLICY EXCEPTION?

The most common reasons for exceptions include:

  • compliance adversely affects an individual’s or a unit’s ability to accomplish its objectives and another acceptable solution with appropriate protection is available
  • the risks of non­compliance are outweighed by the compliance costs, OR
  • when immediate compliance would unacceptably disrupt operations.
 

how

HOW DO I REQUEST A SECURITY POLICY EXCEPTION?

Please complete this form in ServiceNow to initiate the Security Policy Exception review process.

 
 

questions

Specific Questions and Scenarios

 

  • End of Life Operating Systems: If you’d like to request an exception for an End-of-Life Operating System, please use the Service Now form above.
  • False Positives should be reported to vulnscanning@psu.edu so they can be verified and then promptly removed.  Please include the system(s) affected by the false positive, the vulnerability, and an explanation of why you feel it is a false positive.
  • All other vulnerability exception requests should use the general system vulnerability exception form, and include the following information at a minimum:
    • The IP of the system
    • A brief description about the system
    • The plugin ID of the vulnerability
    • The reason why an exception is needed
    • A proposed expiration date for the exception (maximum of two years)
    • Any compensating controls already in place
  • Enclave exception requests will be vetted by the Consulting and Architecture team, with input by the Compliance and Enterprise Security teams where appropriate, and implemented by the Enterprise Security team.  All other exception requests will be vetted and implemented by the Enterprise Security team
  • A list of active vulnerability exceptions for your unit is available in the Unit Security Dashboard.
  • Other Questions? Please contact Information Security.