Information Security Exception Procedure

Owned by Eric Zematis
Mar 07, 2025
2 min read

  1. Purpose:

This process allows Lehigh University community members to request an exception to established information security policies and standards when necessary for legitimate business or academic purposes. Exceptions are granted only when compliance is infeasible or creates an undue hardship, and when sufficient compensating controls are in place.
Important Considerations:

  • Exceptions are not automatically granted.

  • All exceptions are temporary.

  • The requester to demonstrate the necessity of the exception.

  • All exceptions must be documented and tracked by the Information Security Office.

  1. Procedure:

  • Submit a Request: Complete the Information Security Exception Request Form ([link to form]). Provide detailed information about the requested exception, including:

    • The specific policy or standard from which you need an exception.

    • Detailed reason for the exception.

    • Proposed alternative security measures (if applicable).

    • Duration of the exception.

    • Potential risks associated with the exception.

    • Mitigating controls to address those risks.

  • Review and Approval: The Information Security Office will review the request and may consult with relevant stakeholders including senior leaders who would be impacted if the exception leads to a compromise. The ISO will approve or deny the request based on the following factors:

    • The legitimacy of the business or academic need.

    • The level of risk introduced by the exception.

    • The adequacy of proposed mitigating controls.

  • Documentation and Monitoring: Approved exceptions will be documented, including the rationale, duration, and any mitigating controls. The ISO will monitor compliance with the terms of the exception and may revoke it if necessary.

  1. Responsibilities:

  • Requester: Provide complete and accurate information in the exception request. Implement and maintain any agreed-upon mitigating controls.

  • Information Security Office: Review and approve/deny requests. Monitor compliance and manage risks associated with granted exceptions.

  1. Contact:

For questions or assistance, contact the Information Security Office at security@lehigh.edu.

Related content

Incident Response Standard
Incident Response Standard
LTS Standards & Procedures
More like this
Awareness & Training Standard
Awareness & Training Standard
LTS Standards & Procedures
More like this
Information Security: Policies, Procedures and Guidelines
Information Security: Policies, Procedures and Guidelines
LTS Knowledge Base
More like this
Assessment, Authorization, and Monitoring Standard
Assessment, Authorization, and Monitoring Standard
LTS Standards & Procedures
More like this
Change Management Standard
Change Management Standard
LTS Standards & Procedures
More like this
Configuration Management Standard
Configuration Management Standard
LTS Standards & Procedures
More like this