OIT offers two types of exemptions from IT Security policies and standards: Risk Acceptance (as defined by the CU System Risk Acceptance Process) and Temporary Security Exceptions. These exemptions exist to accommodate circumstances that fall outside the ability to conform to a University policy, procedure, standard or guideline or mitigate risk. In such instances, risk acceptance or a temporary security exception can be requested, and the risk must be documented and approved.
How to make an exception or risk acceptance request
If all efforts to mitigate a risk have failed, and you have a strong justification for a temporary security exception or risk acceptance, start the exception/risk acceptance process:
- Fill out and submit a request form: A department director or chair must be listed on the request form. That contact will be copied on all communication going forward.
- OIT Security reviews request: OIT Security will likely reach out to you to collect additional information.
- Request will be approved or denied within 10 business days: If approved, an expiration date will be set. Approvals will need to be reobtained when the expiration date is reached.
Please Note: This process should only be used when all other attempts to mitigate a risk have failed. By requesting a temporary security exception or risk acceptance, you are placing the accountability of this security risk onto your department.
Why request a temporary security exception or risk acceptance?
Temporary security exceptions can be requested when certain security controls or measures cannot be immediately implemented due to practical or operational constraints. Risk acceptance can be requested when a department wants to acknowledge a risk that cannot be remediated.
Who approves or denies these requests?
- Temporary security exceptions are managed by the OIT Security team. They will assess the justification for a security exception and analyze the associated risks and the potential impact on the university. Requests are sent to the Campus Information Security Officer and the CIO for approval.
- Risk acceptance requests are managed by OIT Security team and are handled in accordance with the CU System Risk Acceptance process.
Why is this process important?
- These processes are a fundamental part of any information security program to accommodate circumstances where risk mitigation is not feasible and residual risk can be managed within acceptable limits.
- Registering these exceptions helps the university stay informed of its security posture and can minimize negative impacts on your department in the case of a security incident.
Choosing the correct form
Temporary security exception requests and risk acceptance requests are currently supported for three IT Security standards: Secure Computing Standards for Computers, Secure Computing Standards for Servers, and Vulnerability Management Standard. Read the components of each standard to understand which relates to your situation.
Common examples of exceptions:
- An exception to run an outdated or end-of-life software on a university computer should be requested with the Exception to the Secure Computing Standard for Computers form or the Risk Acceptance - Secure Computing Standard for Computers form, depending on the duration needed.
- To permanently opt a university server out of the vulnerability scanning program, use the Risk Acceptance - Secure Computing Standard for Servers form.
- To temporarily allow the existence of a vulnerability until a machine can be patched, use the Exception to the Vulnerability Management Standard.
A request for risk acceptance or a temporary security exception can be made if a strong justification exists for noncompliance of a policy, procedure, standard, or guideline. This process should only be used when all other attempts to mitigate a risk have failed. By requesting a temporary security exception or risk acceptance, your department must acknowledge the risk presented by these vulnerabilities and accept full responsibility of the identified risk.
Temporary Security Exceptions
Request a temporary exception from the current security requirements for Computers, Servers, or Vulnerability Management, or request an extension to your Temporary Security Exception’s expiration date by up to 3 months. Requests will be reviewed by the OIT Security office, departmental stakeholders, and executive leadership. Requestors will be notified once a decision is made, and exceptions will be tracked by the OIT Security office.
Risk Acceptance Forms
Fill out one of the risk acceptance forms to pursue risk acceptance from the requirements outlined in the University of Colorado Risk Acceptance Process. Requests will be reviewed by the OIT Security office, departmental stakeholders, and executive leadership. Requestors will be notified once a decision is made, and exceptions will be tracked by the OIT Security office.
Frequently Asked Questions
How long do temporary security exceptions last?
Temporary security exceptions last 3 months. After 3 months, the Extension for an Existing Temporary Security Exception form can be used to request that an additional 3 months be added to the duration of the exception. After 6 months, the risk acceptance process must be pursued for any further exemption from security standards.
How can I get updates on the status of my request?
Once the request form is submitted a case is created in OIT’s ticketing system. You will receive an automated email with your case number and can respond to the email to communicate with the Security team. The Security team strives to provide a determination within 10 business days.
What if I require an exemption from something outside the scope of the Secure Computing standards and the Vulnerability Management standard?
Please email email@example.com to explain the request and the Security team will help assess potential solutions.
Not sure where to start? Email firstname.lastname@example.org for assistance with this process.