PortalAlert Box
Notification Box
Overview of IT Security Waivers and Exceptions
YSU intends for IT Security Practices (ITSP) to be followed by all users. Although YSU has drafted the associated security policies with all users and their needs in mind, it is recognized that the security policies may not fit every conceivable situation. However, YSU intends to monitor and enforce ITSP compliance to the extent possible with current processes and technology. Regardless of the reason, end users do not have the right to violate ITSP unless a Practice exception or waiver has been requested and approved by the Network Security team.
An ITSP “exception” refers to a one-time event where Practice cannot be followed due to some technical or logistical reason. An example of an exception would be an urgently needed wireless access point to support a conference. In this case, the process of requesting the exception would allow the appropriate IT Support group to setup the access point securely, and provide secondary protections for the internal network if necessary.
An ITSP “waiver” refers to a long-term deviation from Practice, usually for technical reasons. Examples of this would be a server that cannot accept mandated security settings due to application incompatibility, or systems that cannot accept current security patches for some technical reason. In both cases, the waiver request provides the opportunity to implement alternative security controls, and possibly additional intrusion monitoring. In most cases, a waiver indicates a less than ideal security situation, and the waiver request allows that situation to be properly managed by the appropriate IT Support group.
Exceptions and waivers will be considered on an individual basis. Where appropriate, a risk assessment will be performed to evaluate the threats, countermeasures, and extenuating circumstances associated with the exception and the impact of the exception on resources and business processes. Requests for exceptions must be made in writing to Network Security team for evaluation and appropriate action.