Information Security Standard Exception Request – Administrative Privileges

Use this service to request an exception to required standards published by the UM Information Security Office (ISO).

The Information Security Office (ISO) is charged with protecting the university’s data and information assets and does so through the UM Information Security Policy and UM Information Security Program. As such, the ISO has issued standards and controls that must be followed by all university owned information systems. Exceptions to the UM Information Security Program are not intended to be permanent, the exception process is intended to give time to the requestor to implement a control or standard, or in some cases implement alternate, equivalent compensating controls.

Depending on the nature of the exception, the University’s Cyber Liability Insurance policy may not cover incidents or compromises directly resulting from the exception.

In general, an exception to an information security policy, standard or practice may be granted in one of the following situations:

  •     Temporary exception, where immediate compliance would disrupt critical business operations
  •     A legacy system is being retired and compliance is not possible (risk must be managed)
  •     Long-term exception, where compliance would adversely impact university business
  •     Compliance would cause a major adverse monetary impact that would not be offset by the reduced risk occasioned by compliance (i.e., the cost to comply offsets the risk of non-compliance)
  •     The nature of the employee's work requires the frequent ability to install or upgrade nonstandard software on the device. “Frequent” is defined as anticipated to average more than once per month
  •     When required software will not operate without administrative privileges

When an exception to a standard is granted, the responsible unit will accept the risks the exception represents to the University.  

How to request

To request an exception click Create a Ticket (top right of the page) and provide the following required information.

  1.     Why can't the standard be followed?
  2.     Duration of the exception request (1, 6, or 12 months)
  3.     Mitigating controls being put in place to manage the security posture of the University computing and information resource
  4.     Attach any supporting documents

Availability and Access

Current UM affiliation

You can expect the exception to be reviewed within 10 business days.

Questions

If you have any additional questions contact the Information Security Office at itsec@mso.umt.edu