Security Exceptions

What Is a Security Exception?

A security exception is permission to continue operating a system, service, or product that cannot comply with information security policies and standards referenced in IS-3 and IS-12. While exceptions to these policies and standards may weaken protection of institutional information and IT resources, they are occasionally necessary.

When Should I Submit a Security Exception Request?

UCSC requires units to request a security exception when institutional information and/or IT resources (Data Protection Levels P1-P4) cannot comply with an information security policy or standard.

What Information Do I Need to Request a Security Exception?

Campus units must follow a risk-based approach when requesting an exception to the security controls. They must list the measures in place to mitigate risk (compensating controls) until they meet campus policies or standards.

In the security exception request, units must explain:

• Why the exception is needed.
  • For example, a Protection Level 2 (P2) operating system is end-of-life (EOL).
• What policy or standard they are requesting an exception from (the operating system cannot comply with.
  • For example, IS-3, 12.6: Technical Vulnerability Management and Patch Management.
• How any proposed compensating controls mitigate security risks that this policy would otherwise address.
  • For example, the unit will move the system behind a secure network segment or firewall and install Extended Detection & Response (XDR).
• The duration of the exception request.
  • 6 months maximum.
• The security exception request may also provide a cost-benefit analysis.

Units will also need the following information when submitting the request:

• Name of exception sponsor, unit head, or data proprietor
• Name of Unit Information Security Lead (UISL)
• Data Protection Level Classification (P1-P4)
• Data Availability Level Classification (A1-A4)
• Applicable system, service, or product Information, such as:
  • IP Address(es)
  • MAC Addresses(es)
  • Hostname(s)
  • URL(s)
  • Physical Location of System(s)/Device(s)
  • Other Unique Identifiers

The appropriate unit head must approve the security exception request. Additional approval from the Chief Information Security Officer (CISO) or a higher authority may be required if an exception poses an exceptionally high security, financial, reputational, and operational risk to the institution.

The Information Security team may need to develop a Risk Treatment Plan (RTP) to address pre-identified risks in specific situations. For example, an RTP is needed for an outdated system that does not support the recommended anti-malware software and needs a long-term security exception until the system is upgraded, patched, or replaced.

How Do I Request a Security Exception?

Log into the SlugHub Portal and submit the Security Exception Request form.

• Security Exception Request Form

Complete all the required fields in the Security Exception Request form. Once the form is submitted, a request ticket will be created in SlugHub, the ITS support ticket system.

What Happens After I Request a Security Exception?

1. Information Security will review the request, determine a risk rating, and document any other relevant information for consideration.
   
   • If additional information is needed, it will be requested in the comments of the SlugHub ticket.
2. The security exception sponsor, unit head, or data proprietor will review the information in the request, including the risk rating, and approve or reject the security exception.
3. If the security exception is approved, subsequent tasks and reminders will be sent to manage the security exception lifecycle/resolution.
   • The requester and units are responsible for meeting compliance by the exception expiration date.
   • Reminders will be emailed to the requester, security exception sponsor, unit head, or data proprietor, and Unit Information Security Lead (UISL) 30 days and 1 day before the exception expiration date.
4. If the security exception expires, the Information Security team will check in with the requester on the status and determine whether to:
   
   • Close the request for completion.
   • Request an extension.
   • Develop a Risk Treatment Plan (RTP).
   • Provide a risk briefing for unresolved security exceptions to the campus unit, department, or division’s senior leadership.

How Do I Request a Security Exception Extension?

The campus unit may request an extension on a case-by-case basis. A new security exception request must be submitted and approved by the security exception sponsor, unit head, or data proprietor. You need to provide the previous request number (RITM) and a reason for the extension.

• If the extension is approved, the security exception is valid for up to 6 months more.
• If the extension expires, Information Security will provide a risk briefing to the security exception sponsor, unit head, or data proprietor to determine a course of action.

Questions?

Contact the Information Security Policy team by email at ispolicy@ucsc.edu.

Resources:

• IT Policies and Guidelines
• UCOP IT Policies and Standards
• Data Resource Classification
• UC Records Retention Schedule
• Unit Information Security Lead (UISL) Website