Requesting a Security Exception

Owned by Preston Merkel, created
Last updated: Nov 01, 2022
2 min read

What is a Security Exception?

A security exception is an exception to current cybersecurity policies and standards in cases where the benefits to Seattle University outweigh security risks/non-compliance.

When to apply for a Security Exception

If a process, procedure, or solution you need to implement is not compliant with current security policies or standards you will need to apply for a temporary exception with ITS Information Security

How to apply for a Security Exception

Fill out the Security Exception Request form in the ITS Self-Service Portal

Considerations:

  • All Security Exceptions — if approved — are only valid for up to 6 months.

  • Once the specified expiration date has passed, you are required to immediately cease implementation of the process, procedure, or solution referenced in your request.

  • If approved, you must abide by any additional conditions imposed by Information Security that were communicated to you in order to retain the active status for an approved exception.

  • ITS or Information Security may revoke the active status for an approved Security Exception at any time.

  • After the expiration date, a Security Exception request cannot be reinstated. A new Security Exception Request form must be submitted again.

Why only 6-months?

The owner of the exception should be actively looking for ways to mitigate the exception so that it falls in line with our policies. A security exception is a temporary exception allowing the progression of work while a permanent, policy-compliant solution is researched or being tested.

Security Exception approval process

Once you submit the Security Exception Request form, a series of approvals are required before the exception is considered active.

Approvals will be automatically routed to the relevant parties. You will not have to chase approvals down.

These are the following people or groups, in order, that will be reviewing and approving or denying the request.

  1. Your manager

  2. Director of Risk & Cybersecurity

  3. CIO of Information Technology Services (ITS)

If approved, you will receive a notification via email that your request was approved.