Skip to main content
Florida State University Home Florida State University Home

FSU | Information Technology Services

  • Webmail
  • Search FSU
  • Navigation

  • Home
  • Services
  • Cybersecurity
    • Phish Tank
    • Protect Yourself
    • Protect FSU
    • Standards
  • Research
    • Governance
    • RCC User Accounts
    • RCC Account Login
    • RCC Documentation
    • RCC Training
    • REDCap
  • About ITS
    • Leadership
    • Planning
    • Initiatives
    • Partnerships
    • News
    • Publications
    • Metrics
    • Policies
    • Contact
  • Help
    • myFSU Service Center
    • Classroom Support
    • IT Support
    • Training
    • FAQs
  • Academics
  • Admissions
  • Research
  • Faculty
  • Students
  • Veterans
  • Support FSU
Information Technology Services

  • Home
  • Services
  • Cybersecurity
    • Phish Tank
    • Protect Yourself
    • Protect FSU
    • Standards
  • Research
    • Governance
    • RCC User Accounts
    • RCC Account Login
    • RCC Documentation
    • RCC Training
    • REDCap
  • About ITS
    • Leadership
    • Planning
    • Initiatives
    • Partnerships
    • News
    • Publications
    • Metrics
    • Policies
    • Contact
  • Help
    • myFSU Service Center
    • Classroom Support
    • IT Support
    • Training
    • FAQs
  1. Home
  2. Cybersecurity
  3. Standards
  4. 4-OP-H-25.20 Request for Exception to IT Security Policy

4-OP-H-25.20 Request for Exception to IT Security Policy

I. Purpose

This Standard supports and supplements FSU Technology Policies and provides additional security and privacy best practices. It provides a method for requesting an exception with appropriate compensating controls and supporting documentation for any provision of FSU IT Security or Privacy Policies or Standards to address circumstances where strict compliance cannot be met with reasonable efforts or would significantly impair the educational, research, business, or service missions of the University.

Compliance with this Standard is mandatory and is enforced in the same manner as the policies it supports.  Compliance with this Standard is mandatory and is enforced in the same manner as the Policies it supports. Standards will be periodically reviewed and updated as necessary to meet emerging threats, changes in legal and regulatory requirements, and technological advances.

 

II. Definitions

Compensating Control – a temporary solution mechanism that is put in place to manage a security risk and meet a security objective that is otherwise deemed impractical to implement at the present time. Compensating controls should only be considered when a specific security requirement or security control objective cannot be met due to legitimate technical or documented business or legal constraints. Compensating controls are required to sufficiently manage or mitigate the risk associated with the vulnerability through implementation of other alternative controls.

Consolidated University Unit (CUU) – a consolidated group of related university units that has management authority and responsibility for compliance with IT policies, standards, and guidelines.

Information Security Incident – a suspected, attempted, successful, or imminent threat of unauthorized access, use, disclosure, breach, modification, or destruction of information; interference with information technology operations; or significant violation of responsible use policy.

Full IT Glossary

 

III. Standard

FSU has adopted the NIST Cybersecurity Framework (CSF) 2.0 as the foundation for a risk-based approach to cybersecurity management. CSF uses common cybersecurity functions, activities, and desired outcomes to align university policy to the management of IT risk. The CSF Core leverages industry standards, guidelines, and best practices to establish baseline expectations for cybersecurity for all University Units.

University Units are responsible for using this framework to assess their unique risks, threats, vulnerabilities, and risk tolerances to determine an appropriate risk management plan that complies with FSU Technology Policies, Standards and Guidelines.

Functions supporting this Standard include, but are not limited to:

NIST Cybersecurity Framework 2.0

Function Category
Identify
(ID)		 Risk Assessment (ID.RA): The cybersecurity risk to the organization, assets, and individuals is understood by the organization

Full CSF Crosswalk to Controls: NIST Crosswalk
*The above NIST information in no way belongs to or is owned by Florida State University.

Roles and Responsibilities

Chief Information Security Officer (CISO) and Information Security and Privacy Office (ISPO)
The CISO directs the Information Security and Privacy Office (ISPO) for the university. The CISO reports to the FSU Chief Information Officer and the Provost and also serves as the Chief Privacy Officer for FSU. The CISO and ISPO are responsible for establishing and enforcing the application of appropriate operational security controls necessary to protect the network.
Consolidated University Unit (CUU) Dean, Director, or Department Head (DDDH)
The Dean, Director, Department Head, or other managerial position responsible for protecting the confidentiality, availability, and integrity of university IT Assets within a CUU. The CUU DDDH has responsibility for ensuring IT security and privacy for the units within the CUU.
Consolidated University Unit (CUU) Information Security Manager (ISM)
The liaison designated by the CUU Dean, Director, or Department Head (DDDH) responsible for coordinating the CUU’s information security program. The CUU ISM is the central point of contact between the University Units and ISPO for security issues. CUU ISM responsibilities will be included in position descriptions.
University Unit Dean, Director or Department Head (DDDH)
The Dean, Director, Department Head, or other managerial position responsible for protecting the confidentiality, availability, and integrity of university IT Assets within a University Unit. The DDDH has management authority and responsibility for IT security and privacy for the unit, in coordination with their designated CUU’s information security program.
University Unit Information Security Manager (ISM)
The liaison designated by a University Unit Dean, Director, or Department Head (DDDH) responsible for ensuring a university unit’s compliance with security IT policies, standards, and guidelines, in coordination with their designated CUU’s information security program.

For more information, see IT Roles and Responsibilities.
 

Requests for Exceptions

Strict adherence to information security policies, standards, or practices may not be feasible or may hinder the operational effectiveness of a unit. To address these situations, exceptions with acceptable alternative controls can be requested based on specific justifications.

Examples of valid reasons for requesting exceptions to information security policies, standards, or practices include:

  • Compliance would adversely affect a unit's ability to accomplish its mission
  • Immediate compliance would unacceptably disrupt operations
  • The cost of compliance would outweigh the risks of noncompliance
  • Compliance is impossible due to technical limitations or incompatibilities with existing legacy systems. An acceptable temporary exception may be approved while long-term remediation is implemented

Exception Request Process

Exceptions must be requested by the CUU ISM on behalf of the requestor (requests are not accepted from individuals). Before submitting an Exception Request, the CUU ISM should contact ISPO via email at security@fsu.edu for guidance in determining if an exception is required.

  1. The requestor will work with their University Unit ISM(s) to:
    1. fully identify the IT resources that are the subject of the request.
    2. notify and collaborate with the CUU ISM to determine an alternative solution that would allow the Unit to accomplish its objective while providing appropriate security controls.
    3. obtain approval for an exception from the requestor’s University Unit Dean, Director, Department Head (DDDH).
    4. submit the approved request to the CUU ISM for further processing.
  2. The CUU ISM will provide final review and coordinate CUU approvals (CUU ISM and CUU DDDH), then submit the completed and approved exception request to the CISO via email at security@fsu.edu, using the Request for Exception to IT Security Policy Form.
  3. Exception requests must provide the following information:
    1. name and contact information for the requestor, University Unit DDDH and ISM
    2. name and contact information for the CUU DDDH and CUU ISM
    3. affected Unit and CUU name
    4. information specific to the exception request, including supporting reference material (NIST, Cybersecurity Framework, manufacturer’s recommendations, etc.)
    5. justification for not complying with security and privacy policies and standards provision(s)
    6. obstacles to compliance (e.g. technical, operational, financial, efficiency, or other challenges)
    7. risks, including any data classified as High Risk or Moderate Risk as defined by the 4-OP-H-25.01 Data Security Standard
    8. alternative compensating control(s) to be adopted that would achieve the intended security goal and provide acceptable risk mitigation
    9. description of data involved and unique, project-specific or environment-specific risks associated with non-compliance
    10. approval by the University Unit ISM and CUU ISM
    11. approval by the University Unit DDDH and CUU DDDH
  4. A determination regarding the request will be provided by the CISO as soon as reasonably possible. More complex requests may receive a determination that further investigation is necessary. During evaluation, Units/CUUs may continue normal operations, unless instructed otherwise by the CISO.
  5. The CISO, or ISPO acting as the delegated reviewer, will evaluate exception requests on a case-by-case basis accounting for level of risk, potential threats and vulnerabilities, cost analysis, available staff resources, other priority commitments, and operational and technical limitations or constraints. Additional stakeholders and subject matter experts may be included during the evaluation process, but the CISO will have final responsibility and accountability for approving or denying a request for an exception.
  6. The CISO may approve compensating controls to maintain security and reduce risk when certain standard controls prescribed for that level are not feasible. These compensating controls must be documented and agreed to by the requestor and the CISO.
  7. The CISO may grant a short-term exception while working with the requestor to establish a timeline for full compliance.
  8. Short-term exceptions are valid for the agreed-upon timeline but will not exceed one year. If there is a continuing need for a short-term exception, the requesting CUU must request an extension to the short-term exception at least 30 days prior to its expiration.
  9. Long-term exceptions granted by the CISO remain in force for up to 2 years unless there is a significant change that requires reevaluation. If there is a continuing need for an exception, the requesting CUU must request an extension to at least 30 days prior to its expiration.
  10. After exploring reasonable alternatives in conjunction with the CUU and other stakeholders, the CISO will approve or deny the request for an exception.
  11. Approval of an exception does not relieve the University Unit or CUU of the responsibility for the risk, nor does it transfer the risk to ISPO. Vulnerability Scans and audits will continue to report the risk for which the exception has been approved.
     

Incident Reporting

Incidents occur when an FSU student, staff, contractor, or faculty member violates this Standard, specific legal requirements, or contractual obligations. It is the responsibility of each FSU student, staff, contractor, or faculty member to immediately report suspected or confirmed Information Security and Privacy Incidents to the Chief Information Security Officer (CISO) at security@fsu.edu. The CUU ISM or University Unit ISM must inform the CISO of any suspected or confirmed incidents within 24 hours. Refer to the 4-OP-H-25.11 IT Incident Response Standard for more information.

 

IV. References

  • NIST Cybersecurity Framework (CSF) 2.0
  • NIST 800-53 Controls
  • Request for Exception to Security Policy Form

 

Back to Top | Back to Standards

  • Contact Us
    •    FSU Service Status
    •   myFSU Service Center
    •   850-644-4357
    •  Chat
    •   M-F 8AM-5PM
  • Students
  • Faculty
  • FSU ITS
  •   Staff  
  •  IT Pros 
  •  Facebook
  •  Instagram
  •  Twitter
  •  YouTube
  •  LinkedIn

Information Technology Services · 1721 W Paul Dirac Drive · Tallahassee, FL 32310

© Florida State University
Tallahassee, FL 32306

FSU Directory Assistance
Questions or Comments

Privacy Policy
Copyright

  • Like Florida State on Facebook
  • Follow Florida State on Instagram
  • Follow Florida State on X
  • Follow Florida State on Youtube
  • Connect with Florida State on LinkedIn
  • More FSU Social Media

Cookie Preferences