Cybersecurity Exception Process Overview

The University System of New Hampshire (USNH) has established comprehensive cybersecurity policies, standards, guidelines, and procedures to protect University data and IT resources. While exceptions to these policies or standards can weaken the protection of USNH Information Technology Resources, exceptions are necessary in some instances.

A cybersecurity exception refers to a deviation from or allowance within the established USNH security policies, procedures, or controls granted to accommodate specific conditions or requirements that cannot be addressed under normal circumstances. These exceptions are typically approved when a compelling business need or operational necessity outweighs the associated security risks.

 Requesting an Exception

A requestor and their Department Head/Director must evaluate the risks that noncompliance poses to USNH's academic, research, and business processes. If the Department Head/Director deems the risk reasonable, the requestor should complete and submit the Cybersecurity Exception Request Form via the Adobe Sign form link. This form must be thoroughly completed and returned to the Cybersecurity Governance, Risk, and Compliance (GRC) team with signatures from both the requestor and department/business unit leadership.

More information regarding cybersecurity exceptions can be found in the USNH Cybersecurity Risk Management Standard.

 Compensating Controls

In cases where exceptions to current security controls are approved, compensating controls may need to be implemented to maintain security and reduce risk. The requestor, IT Data Stewards, or Internal Audit can recommend these compensating controls, and it is the requesting unit's responsibility to implement and maintain them. Note: Compensating controls may incur higher costs than the original controls.

 Exception Request, Review and Approval Process

1. Complete the Exception Request Form 

• Open a request from the Cybersecurity Services Portal: Service—Cybersecurity Exceptions (usnh.edu) with a summary of the exception's nature. Upon submission, the requestor will receive a Cybersecurity Exception Request Form.
• Access and fill out the Cybersecurity Exception Request Form thoroughly. It is important to provide detailed information, including identified risks and associated costs, is crucial. Incomplete or missing information will delay the processing of your request.
• For assistance with the form, contact the Cybersecurity GRC analyst assigned to your ticket for guidance

2. Discussion with the Cybersecurity GRC Team 

• The requestor is required to meet with the USNH Cybersecurity GRC Team to discuss the request in detail. The GRC team may also recommend that other stakeholders, such as Data Stewards and/or Internal Audit, review specific decisions.

3. Approval Decision 

• The Chief Information Security Officer (CISO) or their designee will review and either approve or deny the exception request.
• The decision will be communicated to the requestor and the Department Head/Director.

4. Documentation and Retention 

• The ET&S Cybersecurity GRC Team will retain records of all exception requests.

5. Validity and Review 

• Approved exceptions are valid for one year unless otherwise determined by the associated risk or situation.
• Cybersecurity GRC will conduct an annual review with the requestor and departmental leadership one week before the exception's expiration. This review will assess whether the original conditions justifying the exception are still applicable.
• If significant changes have occurred, a new exception request must be submitted. If only minor changes have occurred, the review process may be abbreviated at the discretion of the CISO, their designee, and/or the ET&S Cybersecurity GRC team.