Fayetteville Policies and Procedures  913.0 

Information Security Policy Exemption

  1. Overview 
    This policy describes the process for the review of exemption requests for published University of Arkansas information security policies. Exemptions are required when a necessary business process cannot meet the requirements of a security policy and still be effective and function.

  2. Purpose 
    The purpose of this policy is to provide a process to review, approve, reject, and document exemptions to the university’s published information security policies. This policy is intended to address situations where necessary business processes, cannot be compliant with a published security policy and functional or effective.  

  3. Scope 
    This institution-wide process applies to all units and authorized individuals requesting an exemption to university information security policies.*

  4. Definitions:
    1. Business Case: A documented justification for a necessary business function, process, asset, or configuration, not complying with policy, basis of the university successfully executing its mission.
    2. Compensating Controls: Are controls put in place to mitigate risk or vulnerability caused by non-compliance.  Is a mechanism that is put in place to satisfy the requirements for an information Security measure that is deemed too difficult or impractical to implement at the present time.
    3. Risk Analysis: The process of assessing the likelihood of an adverse event occurring within a given environment.
    4. Risk Mitigation: The process of prioritizing and implementing risk reducing controls to lower residual risk to an acceptable level.  
  5. Policy
    1. Exemption Requirements 
      Any deviation from security policies must be reviewed and approved using the following order of processes for an exemption to policy. 
    2. The following steps are required to request an exemption:
      1. All units must make a good faith effort to come into compliance with published policy.
      2. The unit is responsible for creating a service request for each exemption to policy. The requester creates a ticket in the IT service management system which is assigned to the security team for tracking and workflow.
      3. The unit requesting the exemption must identify the financial party responsible for accepting costs and resource allocation for the entire business unit.  This individual will need to approve the business justification for the exemption.
      4. The unit’s IT support will evaluate the exemption request and determine initial compensating controls. All requests from units that do not have local IT support will go to the IT Director of Support Services through the UITS Helpdesk.
      5. The office of the CISO will review the exemption request for residual risk. The office of the CISO determines an initial approval or denial and then will refer the request for exemption to the CIO.
      6. The CIO will review the exemption request and make a recommendation to the VCFA.
      7. The VCFA will review all exemptions for risk to the university and can reverse an approval or denial of an exemption. 
    3. The following steps are required to fulfill a request:
      1. The UITS ITSM (Information Technology Service Management) system logs and tracks all exemption requests. Exemptions are considered highly sensitive and are only accessible to university staff with a need to know.
      2. Exemptions will be approved for a specific time period, generally not to exceed one year, and will expire at the end of that time period.  At the end of the exemption period, the requesting unit will be required to request a renewal of any exemption that needs to be extended.
      3. The requester or unit is responsible for initiating a review prior to the expiration of the exemption, and to ensure that business conditions have not changed. Exemptions are not automatically renewed after their expiration date.
  6. Reporting and Addressing Suspected Violations. Anyone who has reason to believe that another person has violated this policy shall report the matter promptly to the Office of the CISO (Chief Information Security Officer) and/or their supervisor or department head. Failure to report a suspected violation is a violation of this policy. After a suspected violation of this policy has been reported or discovered, the issue will be handled as soon as possible to mitigate any harm to the university and its affiliates.

  7. Enforcement
    Violation of this policy may result in loss of access and disciplinary action up to and including termination. For additional information, see the Code of Computing Practices. Code of Computing Practices | VCFA | University of Arkansas (uark.edu). 

  8. Exemptions
    Exemptions from this policy must be approved. Any questions about the contents of this policy or the applicability of this policy to a particular situation should be referred to the Office of the CISO. Please see the Exemption policy.

*This policy does not pertain to requests for a reasonable accommodation for a disability, which are addressed under separate policies.

August 8, 2022