Policy Exception

Vanderbilt University has approved information security policies in place to safeguard the university, its people, and its computing resources from cyber threats. These information security policies outline responsibilities you must adhere to when utilizing university IT assets.

However, the university recognizes that there may be unique/critical business needs or academic pursuits that cannot comply with a particular policy thus necessitating the need for this service to provide exception to the policy.

If you are unable to comply with an approved policy that is in effect. However, you should first exhaust all options for compliance before seeking an exception. Once all options for compliance are exhausted, an exception to an approved information security policy or standard may be considered for these cases:  

• On a temporary basis, where immediate compliance would disrupt operations critical to the university’s mission.
• On a temporary basis, where an IT asset cannot support the compliant solution.
• Where an alternative compensating control would provide equivalent protection. 
• Where a legacy system is scheduled for retirement and compliance is not practical.

Submit a ticket to the Office of Cybersecurity.  

The CISO or a delegate will assess the details and grant or deny according the level of risk introduced.  The length of the assessment will depend on the nature of the request and completeness of details provided. Please be thorough and complete in your answers to prevent delays. 

• Granted exceptions: If granted, the requesting individual must follow all stipulations outlined by Cybersecurity. This may include putting in place compensating measures or processes to keep the level of risk acceptable.
• Denied exceptions: If denied, the requesting individual is responsible for coming into compliance.