IT security at the University of California and UCSB is governed by BFB IS-3 and supporting standards. The policy (Section 2.2) recognizes that there are occasions where a system or process cannot be compliant with the policy as written and that alternative equivalent mitigations may be acceptable. There may also be occasions when mitigations may be inadequate to reach an equivalent level of protection, and risk acceptance may be required. 

Mechanism to request an exception or risk acceptance:

  • Step 1: Review this knowledge base article to help you fill out the required information.
  • Step 2: Be ready to answer the following in the form. Failure to fully and accurately provide this information will result in the exception being denied. 
    • What is the specific policy or standard for which you are seeking an exception or risk acceptance? This reason must include reference to the applicable section of the policy or standard.
    • Why is the exception needed?
    • For how long is the exception needed?
    • What alternative security controls have you implemented to reduce risks associated with the exception?
    • What is the long term mitigation plan to ensure that the system or process is compliant with university policies? 
    • What is the system, application, service, vendor, or vulnerability name is the request for?
    • What is the unique identifier or URL is this risk exception associated with?
    • What types of data are hosted or used for this service?
    • What data protection and availability level are associated with this request?
  • Step 3: Complete the form in ServiceNow. 

Review and approval process:

  1. It should be noted that not all exception requests will be granted.  An exception requires four approval levels: The Office of Information Security (OIS) - Security Operations Center (SOC) team reviews the requests and approves that this is a qualifying exception. 
  2. The Unit Information Security Lead (UISL) reviewing and approving the proposed exception or risk acceptance. 
  3. The Unit Head reviewing and approving the request and indicating acceptance of responsibility. The Chief Information Security Officer (CISO) reviewing and approving the request.
  4. The CISO, at their discretion, may choose to specify additional approvers and may raise approval to the Cyber Risk Responsible Executive (CRE). 

Ready to begin the process?

 Complete and submit the request form in ServiceNow.