Stanford Seal     Business Process Risk Acceptance - RA#: G_____

 

Regarding Administrative Guide Memo #______, or Business Process Guideline or  Standard _____________________________, dealing with the topic of _________________

__________________________________________________________________________________.

 

I understand that compliance with Stanford University policies and standards is expected for all organizational units (e.g. schools and departments), business processes and the related information and communication systems.  I have read the above-named policy or standard and I believe that the control(s) described therein should not be required for the following organizational unit, business process, or information system, _______________________________________________________________________________________________________________________________________ _______________________________________________________________________________________________________________________________________.

 

I understand that a control deficiency in one business process or system can jeopardize other processes or systems because erroneous data may be inherited, privacy can be compromised or because a conduit for an intrusion into Stanford University systems may be created. 

 

I understand that an exception to University policies and standards is appropriate only when compliance would: (a) adversely affect the accomplishment of Stanford University business, (b) cause a major adverse financial impact that would not be offset by the reduced risk occasioned by compliance and/or (c) adversely reflect upon the University’s reputation. 

 

An exception to this policy or standard is warranted because:

_____________________________________________________________________________________________________________________

_____________________________________________________________________________________________________________________.

 

A written assessment has been prepared of the risks associated with being out-of-compliance with the above-mentioned policy or standard.  This risk assessment has been jointly prepared with the assistance of the Internal Audit and Institutional Compliance Department and has been reviewed by the Controller's Office, Risk Management Office, and the Internal Audit and Institutional Compliance Department.

 

I, as the responsible manager, accept responsibility for the risks associated with this exception to information security policies and/or standards. I understand that responsibility for the risks include acceptance of the potential personal and departmental sanctions described in Administrative Guide Memo____________________, or University standard regarding_______________________________________.  I also understand that this exception must be reviewed the shorter of annual or re-application periods and will expire in _______month(s) from the date the above-mentioned approvals are obtained.

 

 

 

_______________________________________    

Signature of responsible manager                  Date

 

 

 

 

_______________________________________

Printed name of responsible manager

 

 

_______________________________________    

Business Owner / Principal Investigator               Date

 

 

_______________________________________    

Process Owner                                                            Date

 

 

_______________________________________    

Data Owner                                                                Date

 

 

_______________________________________    

System Administrator                                               Date

 

 

_______________________________________    

Risk Management                                     Date

 

 

_______________________________________    

Internal Audit & Institutional                                 Date

    Compliance

 

 
eln-030807