Exceptions to security requirements

NC State has issued a number of  PRRs (policies, regulations, and rules) under the authority of the Board of Trustees, the Chancellor, and the Chancellor’s designees, including the Vice Chancellor for Information Technology & CIO.  Currently, these include:

• POL 08.00.01 – Computer Use Policy
• REG 04.25.05 – Information and Communication Technology Accessibility
• REG 08.00.02 – Computer Use Regulation
• REG 08.00.03 – Data Management Regulation
• REG 08.00.10 – Anti-Virus Software Requirements
• RUL 08.00.13 – Network Printer Security Standard
• RUL 08.00.14 – System and Software Security Patching Standard
• RUL 08.00.16 – NC State University Security Standards for Sensitive Data and Systems

Security Exceptions

At times, there may be an insurmountable technical or process barrier to complying with the requirements of these PRRs. There is an exception process.

Process

Exception requests should be entered by Sciences IT staff on your behalf after a consultation. Send a request for an exception to help@sciences.ncsu.edu or consult with your local IT staff.

• Exception requests are reviewed and approved by the Office of Information Technology’s Security & Compliance office (OIT S&C).
• The College of Sciences’ IT Director provides final approval but cannot override a denial from OIT S&C.
• Exceptions must be renewed annually.

Exceptions are not granted in bulk (as in “all computers in my lab”), but must be submitted and justified for each individual computer (or user account, where applicable).

Compensating controls

Exceptions require “compensating controls”. This means that alternatives must be found to adequately secure the computer.

• Sciences IT staff will assist with identifying and implementing appropriate alternatives.
• Sciences IT staff will work with you to minimize the impact to your work and will advocate for your needs.
• This may require a change in the way your work is done.
• In some cases, it may also pose an inconvenience.
• At times, satisfactorily solving the problem may result in costs to you, depending on your specific situation and requirements.

Examples

Approved: An alternative can be implemented to secure the system

A common situation occurs when a computer controls an instrument and cannot be updated, or where a common login account is required due to the nature of the experiments or functionality of the controlling software. A compensating control would be to remove access to the Internet from that computer.

Denied: A reasonable alternative exists

Consider a case where a Windows computer can only be rebooted during a specific window because of the potential disruption to long-running simulations. It can be rebooted monthly in order to apply patches, but the timing must be controlled. An exception to the System and Software Patching Standard would be denied, because it is possible for IT staff to control when patches are applied through the use of scheduled maintenance windows.

Denied: A personal preference is not an acceptable reason

Unless an exception request includes a reasonable technical or process justification, it is unlikely to be approved. Discomfort with the university scanning a computer for sensitive information or with university IT staff having access to a system has not been considered sufficient justification for an exception.