University of Utah Exception to Policy and Risk Acceptance Process
University faculty, staff, students, and volunteers must comply with all applicable policies, rules, standards, procedures and guidelines. The exception to policy and risk acceptance process applies to instances where the cost to remediate systems and processes that are not compliant with applicable policies, rules, standards, procedures and guidelines greatly exceeds the risks of non-compliance.

Exception to policy requests are reviewed and analyzed by the Information Security and Privacy Office, and if the request creates significant risks without compensating controls it will not be approved.

All approved exception to policy requests will have an expiration date and must be reviewed prior to that date to ensure that assumptions or business conditions have not changed, and reapproved if the exception to policy is still valid.


Exceptions Process
  1. Requestor shall complete the first five sections of the Exception to Policy and Risk Acceptance Agreement and submit the completed document via email to the Information Security and Privacy Office.
  2. Information Security and Privacy Office shall review the request, contact and work with the requestor to complete section six of the agreement as it pertains to institutional risk, determine the required signatures, and return the agreement to the requestor.
  3. Requestor is responsible for collecting all of the required physical signatures, with the exception of the Chief Information Security Officer (CISO), and faxing the signed agreement to Information Security and Privacy Office at 801-587-9443 for final approval by the CISO.
  4. If approved, the document will be scanned and emailed to each individual who provided a signature.
  5. Final appeal of a decision may be made to the Chief Information Officer.