Stanford Seal     PCI Security Risk Acceptance - RA#: P_____

 

Regarding Administrative Guide Memo #______, or Payment Card Industry (PCI) - Data Security Standard (PCI-DSS) _____________________________, dealing with the topic of _________________

__________________________________________________________________________________.

 

I understand that compliance with Stanford University PCI security policies and standards is expected for all organizational units (e.g. schools and departments), business processes and the related information and communication systems.  I have read the above-named policy or standard and I believe that the control(s) described therein should not be required for the following organizational unit, business process, information system, or communication system, _______________________________________________________________________________________________________________________________________ _______________________________________________________________________________________________________________________________________.

 

I understand that a control deficiency in one business process or system can jeopardize other processes or systems because erroneous data may be inherited, privacy can be compromised or because a conduit for an intrusion into Stanford University systems may be created. 

 

I understand that an exception to PCI security policies and standards is appropriate only when compliance would: (a) adversely affect the accomplishment of Stanford University business, (b) cause a major adverse financial impact that would not be offset by the reduced risk occasioned by compliance and/or (c) adversely reflect upon the University’s reputation. 

 

An exception to this policy or standard is warranted because:

_____________________________________________________________________________________________________________________

_____________________________________________________________________________________________________________________.

 

A written assessment has been prepared of the risks associated with being out-of-compliance with the above-mentioned policy or standard.  This risk assessment has been jointly prepared with the assistance of Controllers' Office and Internal Audit Department and has been reviewed by the Controller's Office, Risk Management Office, and the Internal Audit and Institutional Compliance Department, and approved by the eCommerce Strategic Advisory Committee (eSAC).

 

I, as the responsible manager, accept responsibility for the risks associated with this exception to information security policies and/or standards. I understand that responsibility for the risks include acceptance of the potential personal and departmental sanctions described in Administrative Guide Memos #63, Information Security and #65 Electronic Commerce.  I also understand that this exception must be reviewed the shorter of annual or re-application periods and will expire in _______month(s) from the date the above-mentioned approvals are obtained.

 

 

 

_______________________________________    

Signature of responsible manager                  Date

 

 

 

 

_______________________________________

Printed name of responsible manager

 

 

_______________________________________    

Business Owner                                                      Date

 

 

_______________________________________    

Process / System Administrator                             Date

 

 

_______________________________________    

eSAC Representative                                             Date

 

 

_______________________________________    

Controller's Office                                                     Date

 

 

_______________________________________    

Risk Management                                     Date

 

 

_______________________________________    

Internal Audit & Institutional                                 Date

    Compliance

 

 
eln-030807