Situations or scenarios will arise that cannot be effectively addressed within the constraints Georgia Tech’s security policies and standards. There will be times when business processes can and should take precedence over these policies. However, we must still consider the security of Georgia Tech’s infrastructure and data. The process allows unit heads and Institute leadership to make an informed decision on whether or not to request an exception to a particular IT policy by understanding the risk and alternatives involved.
(NOTE: Phrases shown in italics at their first occurrence in this document are defined in the associated IT Policy Definitions - Standards Document No. 05.GIT.170)
Exception Process
- Any deviation from security policies and standards must be reviewed via the Information Security Exception Review process.
- The exception review process must involve qualified information security professionals.
- The exception review process must log all findings and results in a central repository that is accessible to all Georgia Tech staff involved in the assessment of the exception request.
- Approved exceptions must be periodically reviewed by OIT-IS, Internal Audit, and the Unit requesting the exception.
- Exemption requests involving potentially significant risk to the Unit may require approval of the Unit Head, CIO, EVP, or Provost.
Exception Criteria
- Exception requests must be evaluated in the context of potential risk to the Unit and Georgia Tech as a whole.
- Exception request evaluations must take into account what value the exception will bring to the Unit requesting the exception.
- Exception requests that create significant risks without compensating controls will not be approved.
- Exception requests must be consistently evaluated in accordance with Georgia Tech’s risk acceptance practice.
This Institute-wide process applies to all units and individuals requesting an exemption to Georgia Tech’s security policies and standards.
If a Unit determines they cannot follow an Institute-level policy or standard, then the Unit should request an exception. Before doing so, the Unit should consider what risks they may face by not adhering to the policy as well as the benefit gained by requesting the exception.
The Unit should fill out the Policy Exception Request form and submit it to OIT-Information Security (OIT-IS).
Once OIT-IS has the request, they will review the submission for completeness (ensure no information is missing) and follow up with the Unit as necessary.
OIT-IS will perform a risk assessment of the request, the proposed mitigation, and the benefit of allowing the exception.
OIT-IS, Internal Audit, and the Unit will meet and review the risk assessment and the proposed mitigation measures. The purpose of the review is to examine the exception request, and discuss the potential risk and proposed mitigation by the Unit. If the exception poses a significant risk, OIT-IS will work with the Unit to understand the reason for the exception and propose reasonable alternatives to both mitigate the risk as well as provide the necessary functionality needed by the Unit.
If the review team finds the exemption could lead to significant risk to the Unit or the Institute, then they will inform the Unit Head (Dean, AVP), Director of Internal Audit, and the CIO.
Exemption requests involving potentially significant risk to the Unit may require approval of the Unit Head, CIO, EVP, or Provost.
Once the review of the exception has been completed and the exception approved, the exception will be signed off on by OIT-IS, IA, and the Unit Lead. In doing so, the Unit is accepting the potential risk caused by allowing the exception. An electronic copy of the exception will be maintained.
The exception will be granted for a period of no more than 1 year from the time the exception is granted. At the end of the year, the exception will be reviewed and either terminated or renewed for another period.
Communication
Upon approval, this policy shall be published on the Georgia Tech IT Policy website. The following groups shall be notified via email and/or in writing upon approval of the standard and upon any subsequent revisions or amendments made to the original document:
- Office Information Technology (OIT)
- Campus Deans and Chairs
- Unit Business/Administrative Leads
- Georgia Tech IT Directors
- ITAC
- Campus CSR’s
- Internal Audit
GT security policies and standards specify the minimum requirements that must be met throughout Georgia Tech’s IT environment.
OIT-IS
Georgia Tech Cyber Security group is responsible for developing and maintaining this procedure.
Units
Georgia Tech Academic and Administrative Units, including OIT, are responsible for communicating this procedure to their users and submitting risk exception requests via the approved process.
Revision Number | Author | Description |
---|---|---|
1.0 | Richard Biever | Initial Draft |
1.1 | Richard Biever | Review/Changes from ITAC |