Main Navigation:

• Information Security Office »

• Security Awareness

• Training
• Are you being hacked?
• Top Ten Viruses
• How to protect your computer
• Request a security scan
• Login Banners
• Policies & Best Practices
• Positions of Authority

• Identity Theft

• Unauthorized Access FAQ

• Sanitization

• Sanitization of Electronic Media

• Report...

• Abuse
• Security Incident

• Security Tools

• What is a security assessment?
• ITC Security Workshop

• Other

• How can we help you?
• Security-Related Links & Info
• Download Anti-Virus, SSH, VPN, & more
• Server Firewall Change Management
• SSL VPN Change Management
• 
  Search the ISO Site
• 
  University of Tennessee System Home

The recommendations established by the Information Security Office are considered to be industry "best practices" for the protection of systems and information connected to, accessed by, or stored on Information Systems technology resources. While best practices are designed to protect university IT resources, exceptions may be necessary to achieve business objectives. In those cases, an exception must be formally requested, reviewed, and approved. The following process outlines the steps for requesting an exception to IT security best practice.

Determine Relevant Information

• What systems are involved?
  • Classification
  • Custodian
• What information is involved?
  • Classification
  • Custodian
• What business processes are impacted?

Discern Compensating Controls

• Limited physical access
• Logical separation of duties
• Additional hardware or software solutions

Perform Risk Analysis

More information regarding risk analysis can be found in the National Institute for Standards and Technology (NIST) special publication 800-300, "Risk Management Guide for Information Technology Systems". In general, the risk analysis should answer the following questions:

• Who are approved users?
• What is the purpose of the system?
• How important is the system to the organization?
• What is the system-availability requirement?
• What information is at risk?
• How important is the information to the organization?
• What is the information flow on the network?
• What is the sensitivity of the information?
• What are the disclosure requirements of the information?
• What are the types of information storage used?
• What is the impact on the organization if the information is disclosed to unauthorized personnel?
• What are the requirements for information availability and integrity?
• What is the effect to the organization if the information is not reliable?
• Could a system or security issue result in injury or death?
• What is the cost impact to the University of Tennessee if the exception request is denied?

Compose the Description of and Justification for the Exception

This is the text that will be submitted and stored with the exception request form. The description and justification should address the following:

• A clear definition of the information at risk
• The systems affected
• The functionality of the system that stores the information
• The University of Tennessee program or function that uses the information
• Any laws or regulations the information must comply with (FERPA, HIPAA, PCI, etc.)
• The current and proposed compensating controls
• The reason, including any technical requirements, that the best practice cannot be met

Complete and Submit the Exception Request Form

If it is determined that an exception should be requested after the above has been completed. The information or system custodian (See Information Classification and Computer System Classification Policies IT0115 & IT0116) should obtain and complete the exception request form. Additional information that will assist in the description and justification of the request, such as the risk analysis report or maps of information flow, may be attached. The completed form should be reviewed and signed by the Position of Authority for the campus or institute then submitted to the Information Security Office for evaluation. Completed forms should be directed to 200 Stokely Management Center for requests coming from the Knoxville campus. Requests from other campuses or institutes should be directed to:

Notification of Review

Once the ISO has received the exception request form, it will be reviewed. If questions or issues arise that require more information or clarification from the requestor, the ISO will contact that individual. Once the review is complete, the ISO will either approve or deny the request which will then be signed by the Information Security Officer. Notification of approval or denial along with justification (if needed) will be delivered to the requestor, usually via email. The original copy of the signed form will be retained by the ISO with a copy returned to the requestor if desired.