University policies and procedures are put in place to help establish and maintain a safe and secure computing environment. This environment is necessary for UT Health San Antonio to accomplish its missions within reasonable timeframes, without employees and customers worrying about data loss and intrusions.
However, there are times when exceptions to policy are necessary. These exceptions may be caused by environmental factors, manufacturer restrictions or mandates from higher authorities. Information Security has put an exemption process in place to allow selected university programs to submit requests in order to operate outside some policies while maintaining the necessary protections for personnel, equipment and data.
Exemption requests must include departmental approval by the appropriate dean, director, or chair, with final approval by the university's Chief Information Security Officer (CISO). The requests must be sufficiently detailed with:
- Descriptions of the device/product,
- How the device/product is to be used,
- Explanations why the device/product cannot comply with policy, and
- Information on what compensating controls have been put in place to reduce the risk of not complying with policy.
Each of the exemption request forms has additional questions applicable to the policy.
The overall exemption process is as follows:
- Requester gathers and provides documentation justifying the exemption
- Requester submits request for exemption electronically using the online exemption request form
- To access the online form from an off-campus location, you must first connect to the University's virtual private network (VPN)
- The Chief Information Security Officer (CISO) makes the decision
- The CISO communicates the decision
- Denial - notify the requester with an explanation for denial
- Approval - notify requester, assign expiration date
Any exemptions granted will be for a maximum of one year, must be reviewed for changing circumstances and must be renewed. Additionally, exemptions are considered on a per-device basis, with one request per device. Bulk exemption requests will not be considered.
For more information regarding the exemption process, please contact Information Security by email at email@example.com, or through the Information Security Hotline at 210-567-0707.