Exemption Request

Overview

Exemptions are required when a necessary business process cannot meet the requirements of a security policy. The purpose of the IT Security Exemption Request is to provide a process to review, approve, reject, and document exemptions to the university’s published information security policies. This policy is intended to address situations where necessary business processes, cannot be compliant with a published CSU or SDSU information security policy.  

The requesting department and/or their designated IT manager agree to the following:

• Exemptions are granted on a temporary basis with a starting and expiration date.
• Exemptions may not exceed one year.
• The campus unit may request an extension on a case-by-case basis.
• All exemptions are subject to a review process and exemptions may be revoked if current policies or the information in this request changes.
• Approval requests are approved or denied by the IT Security Office.

Are you eligible?

This institution-wide process applies to all units and authorized staff requesting an exemption to university information security policies.

Cost

There is no direct cost to you or your department.

Get Started

Submit a ServiceNow request to initiate an Exemption Request. The IT Security Office will perform the following tasks for an Exemption Request:

• Review the request, determine a risk rating, and document any other relevant information for consideration.
• Recommend security controls to ensure the confidentiality, integrity, and availability of data and systems.
• Provide a determination on whether to approve or deny the Exemption Request.

Get Help

ServiceNow Knowledgebase Article on Exemption Requests (coming soon).