I. Purpose
This Standard supports and supplements FSU Technology Policies and provides additional security and privacy best practices. It provides a method for requesting an exception with appropriate compensating controls and supporting documentation for any provision of FSU IT Security or Privacy Policies or Standards to address circumstances where strict compliance cannot be met with reasonable efforts or would significantly impair the educational, research, business, or service missions of the University.
Compliance with this Standard is mandatory and is enforced in the same manner as the policies it supports. Compliance with this Standard is mandatory and is enforced in the same manner as the Policies it supports. Standards will be periodically reviewed and updated as necessary to meet emerging threats, changes in legal and regulatory requirements, and technological advances.
II. Definitions
Compensating Control – a temporary solution mechanism that is put in place to manage a security risk and meet a security objective that is otherwise deemed impractical to implement at the present time. Compensating controls should only be considered when a specific security requirement or security control objective cannot be met due to legitimate technical or documented business or legal constraints. Compensating controls are required to sufficiently manage or mitigate the risk associated with the vulnerability through implementation of other alternative controls.
Consolidated University Unit (CUU) – a consolidated group of related university units that has management authority and responsibility for compliance with IT policies, standards, and guidelines.
Information Security Incident – a suspected, attempted, successful, or imminent threat of unauthorized access, use, disclosure, breach, modification, or destruction of information; interference with information technology operations; or significant violation of responsible use policy.
Full IT Glossary
III. Standard
FSU has adopted the NIST Framework for Improving Critical Infrastructure Cybersecurity in conjunction with NIST 800-53 Controls as the foundation for a risk-based approach to cybersecurity management. The Cybersecurity Framework (CSF) Core uses common cybersecurity functions, activities and desired outcomes to align university policy to the management of IT risk. The CSF Core leverages industry standards, guidelines and practices to establish baseline expectations for cybersecurity for all university units.
University Units are responsible for using this framework and controls to assess their unique risks, threats, vulnerabilities and risk tolerances to determine an appropriate risk management plan that complies with FSU Technology Policies, Standards and Guidelines.
Roles and Responsibilities
Chief Information Security Officer (CISO) and Information Security and Privacy Office (ISPO)
The CISO directs the Information Security and Privacy Office (ISPO) for the University. The CISO reports to the CIO and the Provost and serves as both the CISO and the Chief Privacy Officer for FSU. The CISO and ISPO are responsible for enforcing the application of appropriate operational security controls necessary to mitigate risks associated with unauthorized disclosure, loss, or theft of university information.
Consolidated University Unit (CUU) Dean, Director, or Department Head (DDDH)
The Dean, Director, Department Head, or other managerial position responsible for protecting the confidentiality, availability, and integrity of university IT Assets within a CUU. The CUU DDDH has responsibility for ensuring IT security and privacy for the units within the CUU.
Consolidated University Unit (CUU) Information Security Manager (ISM)
The liaison designated by the CUU Dean, Director, or Department Head (DDDH) responsible for coordinating the CUU’s information security program. The CUU ISM is the central point of contact between the University Units and ISPO for security issues. CUU ISM responsibilities will be included in position descriptions.
University Unit Dean, Director or Department Head (DDDH)
The Dean, Director, Department Head, or other managerial position responsible for protecting the confidentiality, availability, and integrity of university IT Assets within a University Unit. The DDDH has management authority and responsibility for IT security and privacy for the unit, in coordination with their designated CUU’s information security program.
University Unit Information Security Manager (ISM)
The liaison designated by a University Unit Dean, Director, or Department Head (DDDH) responsible for ensuring a university unit’s compliance with security IT policies, standards, and guidelines, in coordination with their designated CUU’s information security program.
For more information, see IT Roles and Responsibilities.
Requests for Exceptions
Common reasons that may justify an exception being granted include:
- Compliance would adversely affect a Consolidated University Unit’s (CUU’s) ability to accomplish its objectives, and an alternative solution utilizing acceptable security controls is available.
- The cost of compliance would outweigh the risks of noncompliance.
- Immediate compliance would unacceptably disrupt operations.
The CUU ISM may request an exception on behalf of the requestor by following this process (requests are not accepted from individuals):
- The requestor will work with their University Unit ISM to:
- fully identify the IT resources that are the subject of the request.
- determine an alternative solution that would allow the Unit to accomplish its objective while providing appropriate security controls.
- obtain the approval for an exception from the requestor’s University Unit Dean, Director, Department Head (DDDH).
- submit the approved request to the CUU ISM for further processing.
- The CUU ISM will submit the approved exception request to the CUU DDDH for approval, then to the CISO via email at security@fsu.edu, using the Request for Exception to IT Security Policy Form.
- Exception requests must provide the following information:
- name and contact information for the requestor, University Unit ISM and DDDH
- name and contact information for the CUU DDDH and CUU ISM
- information specific to the exception request, including supporting reference material (NIST, Cybersecurity Framework, manufacturer’s recommendations, etc.)
- reasons for not complying with provision(s)
- obstacles to compliance (e.g. technical, operational, financial, efficiency, or other challenges)
- risks, including any data classified as High Risk or Moderate Risk as defined by the 4-OP-H-25.01 Data Security Standard
- alternative compensating control(s) to be adopted that would achieve the intended security goal
- description of data involved and unique, project-specific or environment-specific risks associated with non-compliance
- approval by the University Unit DDDH and CUU DDDH
- A determination regarding the request will be provided by the CISO as soon as reasonably possible. More complex requests may receive a determination that further investigation is necessary. During evaluation, Units/CUUs may continue normal operations, unless instructed otherwise by the CISO.
- The CISO, or ISPO acting as the delegated authority, will evaluate exception requests on a case-by-case basis accounting for level of risk, potential threats and vulnerabilities, cost analysis, available staff resources, other priority commitments, and operational and technical limitations or constraints. Additional stakeholders and subject matter experts may be included during the evaluation process, but the CISO will have final responsibility and accountability for approving or denying a request for an exception.
- The CISO may approve compensating controls to maintain security and reduce risk when certain standard controls prescribed for that level are not feasible. These compensating controls must be documented and agreed to by the requestor and the CISO.
- The CISO may grant a short-term exception while working with the requestor to establish a timeline for full compliance.
- Short-term exceptions are valid for the agreed-upon timeline but will not exceed one year. If there is a continuing need for a short-term exception, the requesting CUU must request an extension to the short-term exception at least 30 days prior to its expiration.
- Long-term exceptions granted by the CISO remain in force for up to 2 years unless there is a significant change that requires reevaluation. If there is a continuing need for an exception, the requesting CUU must request an extension to at least 30 days prior to its expiration.
- After exploring reasonable alternatives in conjunction with the CUU and other stakeholders, the CISO will approve or deny the request for an exception.
- Approval of an exception does not relieve the University Unit or CUU of the responsibility for the risk, nor does it transfer the risk to ISPO. Vulnerability Scans and audits will continue to report the risk for which the exception has been approved.
Incident Reporting
Incidents occur when an FSU student, staff, contractor, or faculty member violates this Standard, specific legal requirements, or contractual obligations. It is the responsibility of each FSU student, staff, contractor, or faculty member to immediately report suspected or confirmed Information Security and Privacy Incidents to the Chief Information Security Officer (CISO) at security@fsu.edu. The CUU ISM or University Unit ISM must inform the CISO of any suspected or confirmed incidents within 24 hours. Refer to the 4-OP-H-25.11 IT Incident Response Standard for more information.
IV. References
