Stanford Seal     Information Security Risk Acceptance - RA# _____

 

Regarding Administrative Guide Memo #______, or Information Security Standard _____________________________, dealing with the topic of _________________

_________________________________________________________.

 

I understand that compliance with Stanford University information security policies and standards is expected for all organizational units (e.g. schools and departments), information systems, and communication systems.  I have read the above-named policy or standard and I believe that the control(s) described therein should not be required for the following organizational unit, information system, or communication system, _____________________________________________________________________________________ _______________________________________________________________________________________________________________________________________.

 

I understand that a control deficiency in one network-connected system can jeopardize other information systems because erroneous data may be inherited, privacy can be compromised or because a conduit for an intrusion into Stanford University systems may be created. 

 

I understand that an exception to information security policies and standards is appropriate only when compliance would: (a) adversely affect the accomplishment of Stanford University business, (b) cause a major adverse financial impact that would not be offset by the reduced risk occasioned by compliance and/or (c) adversely reflect upon the University’s reputation. 

 

An exception to this policy or standard is warranted because:

_____________________________________________________________________________________________________________________

_____________________________________________________________________________________________________________________.

 

A written assessment has been prepared of the risks associated with being out-of-compliance with the above-mentioned policy or standard.  This risk assessment has been jointly prepared with the assistance of Information Security Office and Internal Audit Department and has been reviewed by the Information Security Office, Risk Management Office, and the Internal Audit and Institutional Compliance Department.

 

I, as the responsible manager, accept responsibility for the risks associated with this exception to information security policies and/or standards. I understand that responsibility for the risks include acceptance of the potential personal and departmental sanctions described in Administrative Guide Memo #63, Information Security.  I also understand that this exception must be reviewed the shorter of annual or re-application periods, and will expire in _______month(s) from the date the above-mentioned approvals are obtained.

 

 

 

_______________________________________    

Signature of responsible manager                  Date

 

 

 

 

_______________________________________

Printed name of responsible manager

 

 

_______________________________________    

Business Owner                                                      Date

 

 

_______________________________________    

System Administrator                                               Date

 

 

_______________________________________    

Data Owner                                                                Date

 

 

_______________________________________    

Information Security Office                                     Date

 

 

_______________________________________    

Risk Management Office                                        Date

 

 

_______________________________________    

Internal Audit & Institutional                                 Date

    Compliance Department

 

 
eln-030807