• Internal Audit & Institutional Compliance
• Internal Audit Department

Stanford Policy Exception and Risk Assumption Process

Background

It is imperative that Stanford University Faculty, Staff and Students comply with all University policies, procedures, standards and guidelines. However, there are circumstances that fall outside the ability to comply with and/or conform to a University policy, procedure, standard or guideline. In such instances, an exception must be documented and approved. This defines the requirements to formally authorize exceptions where control cost is much greater than the risk represented from non-compliance to University  Policies and Standards.
In Other Words: The Policy Exception & Risk Assumption process applies to cases where the cost to remediate academic or administrative practices and systems not compliant with University Policies and Standards greatly exceeds the risks.

Exception Process

Exceptions to University Policies and Standards may be permitted in instances where the institutional risk is likely to exist for more than three (3) months and a risk analysis has been performed, identifying the risk as a high-level risk to the University.  The risk analysis must be documented by a written risk assessment, prepared jointly by the responsible business owner, data owner, principle investigator, business process owner and/or system administrator. The responsible managers will prepare and sign a standard risk acceptance form. For all policy exemption requests except for Data Security Policy exceptions, the cognizant policy/standard office, Office of Risk Management and the Internal Audit & Institutional Compliance Department must review the request. For Data Security Policy exemption requests, the University's Data Governance Board (DGB) must review the request. Internal Audit & Institutional Compliance Department will be responsible for tracking University level policy exemptions.

Requests for exception must include: a valid business justification; a risk analysis; compensating controls to manage risk; and technical reasons for the exception.
Requests for exception that create significant risks without compensating controls will not be approved.
Requests for exceptions are reviewed for validity and are not automatically approved.
Requests for exceptions must be periodically reviewed to ensure that assumptions or business conditions have not changes. Exemption renewals are not automatically approved.

• Data Security Policy Exemptions - IS Risk Acceptance Agreement
• Please see additional information on Data Security requirments by Stanford's DGB.
  
• Exemption from University PCI-DSS Compliance Policy and Standards - PCI Risk Assumption Agreement.
• Exemption from other University Policy and Standards - Business Process Risk Assumption Agreement.

Please return the completed (and executed) Agreement to: Internal Audit & Institutional Compliance Department.