Standard 22: Security Exceptions

Revision Number:

New Standard
Major Revision of Existing Standard
Minor/Technical Revision of Existing Standard
Reaffirmation/Review of Existing Standard

Effective Date:

2/24/2020

Revised Date:

2/24/2020

Review Date:

2/24/2020

Responsible Division/Department:
Office of the CIO / Information Technology Services

Exceptions to an otherwise required security control may be granted by the UNF Chief Information Security Officer (CISO) to address specific circumstances or business needs, relating to an individual program or department, only as authorized by applicable law and institutional policy. Requests for exceptions of this type must be submitted in an email to IT Security ( ITSecurity@unf.edu) and should be initiated by the data owner. Both the UNF CISO and data owner are jointly responsible for ensuring that any exception is not contrary to applicable law.
The UNF CISO may issue blanket exceptions to address institution-wide situations.
All exceptions must be based on an assessment of business requirements weighed against the likelihood of an unauthorized exposure, and the potential adverse consequences for individuals, other organizations, or the University were an exposure to occur.
As a condition for granting an exception, the UNF CISO may require compensating controls be implemented to offset the risk.
All exceptions must be documented, and must include the following elements:
1. A statement defining the nature and scope of the exception in terms of the data and/or the class of devices included
2. the rationale for granting the exception
3. an expiration date for the exception
4. a description of any compensating security measures that are to be required
5. acknowledgement, via signature (written, electronic, or through automated process), of the UNF CISO, and, in the case of an exception resulting from a data owner request, of the data owner
Encryption exceptions.
1. The UNF CISO may grant an exception to the use of encryption on a device if it is determined that:
  1. Encryption makes the device unsuitable to perform its intended functions;
  2. there are no alternative hardware or software options available that can be used to allow encryption; and
  3. the risk posed by the unencrypted device is minimal or moderate based on its use and/or other implemented compensating controls.
2. The UNF CISO may recommend to the Chief Information Officer (CIO) an encryption exception be granted for a high impact device if encryption makes the device unsuitable to perform its intended function.