Anda di halaman 1dari 3

Information Security Exception Policy

Rev. 1.1
Effective Date: July 1, 2010
Last Revised: July 1, 2010
Under Review

The following are responsible for the accuracy of the information contained in this document

Responsible University Officer(s)

Associate Vice President / Associate Vice Provost for
Information Technology (CIO)

Responsible Coordinating Office

Office of Information Technology

1. Executive Summary
Situations or scenarios will arise that cannot be effectively addressed within the constraints
Georgia Techs security policies and standards. There will be times when business processes can
and should take precedence over these policies. However, we must still consider the security of
Georgia Techs infrastructure and data. Therefore, a review process is provided to approve and
document requests for exemptions to Georgia Techs security policies, which may be found at The process allows unit heads and Institute leadership to make an
informed decision on whether or not to request an exception to a particular IT policy by
understanding the risk and alternatives involved.
(NOTE: Phrases shown in italics at their first occurrence in this document are defined in the
associated IT Policy Definitions - Standards Document No. 05.GIT.170)

2. Scope
This Institute-wide policy applies to all units and individuals requesting an exemption to Georgia
Techs security policies and standards.

3. Statement of Policy
3.1. Exception Process
Any deviation from security policies and standards must be reviewed via the Information
Security Exception Review process.
The exception review process must involve qualified information security professionals.
The exception review process must log all findings and results in a central repository that is
accessible to all Georgia Tech staff involved in the assessment of the exception request.
Approved exceptions must be periodically reviewed by OIT-IS, Internal Audit, and the
Policy No. 08.GIT.130

Georgia Institute of Technology, 2008

Page 1

Georgia Institute of Technology

Exception Policy

Rev. 1.1

Unit requesting the exception.

Exemption requests involving potentially significant risk to the Unit may require approval
of the Unit Head, CIO, EVP, or Provost.
3.2. Exception Criteria
Exception requests must be evaluated in the context of potential risk to the Unit and
Georgia Tech as a whole.
Exception request evaluations must take into account what value the exception will bring
to the Unit requesting the exception.
Exception requests that create significant risks without compensating controls will not be
Exception requests must be consistently evaluated in accordance with Georgia Techs risk
acceptance practice.

1. Responsibilities
GT security policies and standards specify the minimum requirements that must be met
throughout Georgia Techs IT environment.
Georgia Techs OIT Information Security (IS) group is responsible for developing and
maintaining this policy.
Georgia Tech Academic and Administrative Units, including OIT, are responsible for
communicating this policy to their users and submitting risk exception requests via the approved

2. Communication
Upon approval, this policy shall be published on the Georgia Tech IT Policy website. The
following groups shall be notified via email and/or in writing upon approval of the standard and
upon any subsequent revisions or amendments made to the original document:

Office Information Technology (OIT)

Campus Deans and Chairs
Unit Business/Administrative Leads
Georgia Tech IT Directors
Campus CSRs
Internal Audit

3. References

Georgia Tech IT Policy Website

Georgia Institute of Technology, 2008

Page 2

Georgia Institute of Technology

Exception Policy

Rev. 1.1

Georgia Tech CNUSP

Information Security Exception Review Procedures

Georgia Tech Information Security Exception Form

Revision Number

Richard Biever
Richard Biever

Georgia Institute of Technology, 2008

Initial Draft
Review/Changes from ITAC

Page 3