Stanford Seal     Information Security Risk Acceptance - SU# _____

 

Regarding Administrative Guide Memo #______, or Information Security Standard _____________________________, dealing with the topic of _________________

_________________________________________________________.

 

I understand that compliance with Stanford University information security policies and standards is expected for all organizational units (e.g. schools and departments), information systems, and communication systems.  I have read the above-named policy and I believe that the control(s) described therein should not be required for the following organizational unit, information system, or communication system, _____________________________________________________________________________________ _______________________________________________________________________________________________________________________________________.

 

I understand that an exception to information security policies is appropriate only when compliance would: (a) adversely affect the accomplishment of Stanford University business, or (b) cause an adverse financial impact that would not be offset by the reduced risk occasioned by compliance.  

 

An exception to this policy is warranted because:

_____________________________________________________________________________________________________________________

_____________________________________________________________________________________________________________________.

 

A written assessment has been prepared of the risks associated with a policy exception.  This risk assessment has been jointly prepared with the assistance of Information Security Office and Internal Audit Department and has been reviewed by the Data Governance Board.

 

I, as the responsible university approver, accept responsibility for the risks associated with this exception to information security policies. I understand that the risks include potential loss of information and acceptance of the personal and departmental sanctions described in Administrative Guide Memo #63, Information Security.  I also understand that this exception may be revoked and will be subject to Internal Audit's annual follow-up procedures.

 

 

 

_______________________________________    

Signature of Requestor                               Date

 

 

 

 

_______________________________________

Printed name of Responsible University Approver

 

 

_______________________________________    

Responsible University Approver                          Date

 

 

_______________________________________    

Data Governance Board                                            Date

 

 

_______________________________________    

Data Owner                                                               Date

 
eln-030807