Enterprise Technology & Services (ET&S) recognizes that there are times when business needs, academic activities, and/or research project requirements make it impossible or impractical to comply with the established Technology/Cybersecurity Policies & Standards and understands that there are circumstances where exceptions must be allowed.
Exceptions are temporary exemptions from Policy or Standard compliance.
Some examples of exceptions are:
- Use of software that requires a device running on old operating system
- Processes involving community members or administrators sharing accounts
- Servers or other information technology resources with vulnerabilities that cannot be fixed because of extenuating circumstances
- Business processes that cannot meet requirements because of resource constraints
The exception process, defined in the Cybersecurity Exception Standard, provides members of the USNH community with a single point of contact to request exceptions to all Technology/Cybersecurity Policies & Standards. Requiring documented exceptions enables Cybersecurity & Networking to better manage cybersecurity risk across all USNH institutions.
To request an exception, complete the form found here and provide as much of the information below as possible:
- The Policy or Standard for which the exception is being requested
- Business reason or justification explaining why an exception is needed
- Administrative, academic, or business unit requesting the exception
- Head of the requesting unit
- Describe why compliance is not possible (e.g. the total cost to comply with the Policy or Standard or the negative impact to USNH community members including an estimate of the number of community members that may be negatively impacted)
- List of the business units, business processes, information technology resources, and institutional information to which the exception applies
- How long will the exception be needed
Requests for exceptions are handled by Cybersecurity Governance, Risk, & Compliance (GRC). When a request is submitted, a ticket is created which allows the requester to view the status of the request and communicate directly with the Cybersecurity GRC team in the USNH TeamDynamix Client Portal.