A cybersecurity exception refers to a deviation from or allowance within the established USNH security policies, procedures, or controls granted to accommodate specific conditions or requirements that cannot be addressed under normal circumstances. These exceptions are typically approved when a compelling business need or operational necessity outweighs the associated security risks. By default, Cybersecurity Exceptions will be in place for one year. At that time Cybersecurity GRC will contact the requestor to close the ticket or meet to begin an extension review.

A requestor and their Department Head/Director must evaluate the risks that noncompliance poses to USNH's academic, research, and business processes. If the Department Head/Director deems the risk reasonable, the requestor should complete and submit the Cybersecurity Exception Request Form via the Adobe Sign form link. This form must be thoroughly completed and returned to the Cybersecurity Governance, Risk, and Compliance (GRC) team with signatures from both the requestor and department/business unit leadership.

More information regarding cybersecurity exceptions can be found in the USNH Cybersecurity Risk Management Standard and the Exception Knowledge Base Article

Requesting A Cybersecurity Exception

• Download and fill out the Cybersecurity Exception Request Form thoroughly. It is important to provide detailed information, including identified risks, associated costs, and compensating controls. Incomplete or missing information will delay the processing of your request. Contact the Cybersecurity GRC analyst assigned to your ticket for assistance with the form.
• Upload the completed (including requestor and leadership signatures) exception form to your TDX request ticket.
• Cybersecurity GRC will communicate the workflow progress through your TDX