Objective:

To protect the confidentiality, integrity, and availability of the University of Tennessee Institute of Agriculture’s (the Institute’s) information technology (IT) assets, full compliance with all IT policies and procedures is expected. However, some circumstances may exist when a policy or procedure cannot be fully implemented regarding an IT asset(s) in a given area. This policy is to provide a formal, written process for requesting exemption from an Institute IT policy or procedure.

Scope:

This policy applies to all IT assets owned, operated, or provided by the Institute, as well as all students, faculty, staff, and users, who access, use, or handle the Institute’s IT assets.

Policy:

It is important to understand that choosing not to comply with an Institute IT policy or procedure is quite different from not being able to comply with a portion of the policy or procedure. Anyone who accesses, uses, or handles any Institute IT asset is required to do everything possible to comply with these policies and procedures. Unfortunately, there may be instances when it is not possible to be fully compliant, so a written request for an exemption is required. These instances must be submitted to the Institute’s Chief Information Security Officer (CISO).

In order to be considered for an exception, the UTIA IT0302F – Information Technology Policy Exception Request Form must be completed. This form will include as many details as possible about these topics:

Description of the business process related to the exception and who it impacts
Description of non-compliance
Business justification for non-compliance
Hardware (MAC) address for each network interface card in the computer being used
Description of data potentially affected by non-compliance
Potential risk associated with non-compliance
Maintenance plan, including mitigating controls for managing risk associated with non- compliance
Anticipated period of non-compliance
Proposed date to review progress toward compliance
Any additional information to support need for exception

The requester will discuss with the Director/Department Head and, if in agreement, both parties will sign and submit the form to the Institute’s CISO. Upon submission, the CISO will conduct an initial review of the exception request based on risk to the Institute. The CISO will then send to the appropriate Budget Director and Institute leadership (i.e., unit Dean) for additional review. Once the Budget Director and Institute leadership have approved the

request, it will be forwarded back to the Institute’s CISO for final approval. The decision will be provided in writing, along with the review date or expiration date, if approved.

Exceptions will be cataloged on a private security site with limited access. In the event of an audit, contact the CISO for access.

If an exception is approved, a review date or expiration date will be assigned. If still non- compliant, a new UTIA IT0302F – Information Technology Policy Exception Request Form must be submitted. Please note that if an exception is approved once, it is not guaranteed to be approved again, as this process is not meant to last in perpetuity.

In the event of any significant change (i.e., business process, who is impacted, change in the person responsible for managing the risk associated with the exception request), a new UTIA IT0302F – Information Technology Policy Exception Request Form must be submitted at once.

References:

UTIA Glossary of Information Technology Terms

UTIA IT0302F – Information Technology Policy Exception Request Form UTIA IT0124 – Information Technology Risk Assessment Policy

UTIA IT0124P1 – Information Technology Risk Assessment Procedures UTIA IT0115 – Information and Computer System Classification Policy

For more information, contact Sandy Lindsey, CISO, at (865) 974-7292, or email sandy@tennessee.edu.

Approval of Policy

We approve UTIA IT0302 – Information Technology Formal Exception Policy as described in this document.

Name	Title	Signature	Date
Tim Cross, Ph.D.	Senior Vice President and Senior Vice Chancellor, UTIA
Angela A. Gibson	Chief Information Officer, UTIA
Sandra D. Lindsey	Chief Information Security Officer, UTIA