OIT offers two types of exemptions from IT Security policies and standards: Risk Acceptance (as defined by the CU System Risk Acceptance Process) and Temporary Security Exceptions. These processes exist to accommodate circumstances where a department cannot conform to a university policy, procedure, standard or guideline.
How to make an exception or risk acceptance request
If all efforts to mitigate a risk have failed, and you have a strong justification for a temporary security exception or risk acceptance, start the exception/risk acceptance process:
- Fill out and submit a request form: A department director or chair must be listed on the request form. That contact will be copied on all communication going forward.
- There are six different request forms available. See the following section for help determining what form you need and for links to the forms
- Work with OIT Security to complete your request: Depending on your request, you may be required to provide additional information about your environment, implement compensating security controls, and/or sign an agreement of shared risk responsibility on behalf of your department.
- Request will be approved or denied within 10 business days: If your request is approved, OIT Security may use Microsoft Teams to share installation files or other resources with you.
Please Note: This process should only be used when all other attempts to mitigate a risk have failed. By requesting a temporary security exception or risk acceptance, you are placing the accountability of this security risk onto your department.
Why request a temporary security exception or risk acceptance?
Temporary security exceptions can be requested when certain security controls or measures cannot be immediately implemented due to practical or operational constraints. Risk acceptance can be requested when a department wants to acknowledge a risk that cannot be remediated.
Who approves or denies these requests?
- Temporary security exceptions are managed by the OIT Security team. They will assess the justification for a security exception and analyze the associated risks and the potential impact on the university. Requests are sent to the Campus Information Security Officer and the CIO for approval.
- Risk acceptance requests are managed by OIT Security team and are handled in accordance with the CU System Risk Acceptance process.
Why is this process important?
- These processes are a fundamental part of any information security program to accommodate circumstances where risk mitigation is not feasible and residual risk can be managed within acceptable limits.
- Registering these exceptions helps the university stay informed of its security posture and can minimize negative impacts on your department in the case of a security incident.
Choosing the correct form
Temporary security exception requests and risk acceptance requests are currently supported for three IT Security standards: Secure Computing Standards for Computers, Secure Computing Standards for Servers, and Vulnerability Management Standard. Read the components of each standard to understand which relates to your situation.
| Exception timeline | Exception to Secure Computing Standard for Computers | Exception to Secure Computing Standard for Servers | Exception to Vulnerability Management Standard |
|---|---|---|---|
| Exception needed for 3 to 6 months | Exception to the Secure Computing Standard for Computers | Exception to the Secure Computing Standard for Servers | Exception to the Vulnerability Management Standard |
| Exception needed for 12 months or more (risk acceptance) | Risk Acceptance - Secure Computing Standard for Computers | Risk Acceptance - Secure Computing Standard for Servers | Risk Acceptance - Vulnerability Management Standard |
Frequently Asked Questions
How long do temporary security exceptions last?
Temporary security exceptions last three months. After three months, the Extension for an Existing Temporary Security Exception form can be used to request that an additional three months be added to the duration of the exception. After six months, the risk acceptance process must be pursued for any further exemption from security standards.
How can I get updates on the status of my request?
Once the request form is submitted a case is created in OIT's ticketing system. You will receive an automated email with your case number and can respond to the email to communicate with the security team. The security team strives to provide a determination within 10 business days.
What if I require an exemption from something outside the scope of the Secure Computing standards and the Vulnerability Management standard?
Please email security@colorado.edu to explain the request, and the security team will help assess potential solutions.
Help
Not sure where to start? Email security@colorado.edu for assistance with this process.
