Skip to content Skip to site navigation Skip to service navigation

Request a Compliance Exception

Minimum Security Standards exception requests are handled separately for endpoints (laptops, desktops, and mobile devices) versus servers and applications. These are the process and acceptance criteria for each.

Endpoints (Laptops, Desktops, and Mobile Devices)

The criteria for granting exceptions have been narrowed as of May 2017. These criteria apply to both new requests and renewals.

Endpoint security exceptions are reserved for situations where adherence to the Minimum Security Standards is not possible for technical reasons. Personal ownership of the device, system performance impact, and unlikely exposure to High Risk Data are not grounds for exceptions.

Exception requests are reviewed on a case-by-case basis, and it is important for you to provide as much information as possible to support your request, including a description of the compensating controls that will provide equivalent protection. Approved exceptions are assigned an expiration date to ensure that the request is reviewed again later for validity and necessity.

These are examples of exception requests that are typically approved for endpoints:

  • Physically anchored desktop computer dedicated to directly controlling scientific research equipment that cannot be upgraded due to specialized software that is unavailable on an operating system that supports encryption.
  • Classroom or kiosk computer that is re-imaged daily, physically secured, and does not copy email or other files in bulk locally.
  • Android 7 device (which currently prevents compliance reporting via MyDevices) with Stanford Mobile Device Management (MDM) installed and verified.

Note: Because BlackBerry mobile devices, Windows phones, and Linux systems are currently not supported by MDM or  Stanford Whole Disk Encryption (SWDE), they are temporarily exempt from the verifiable encryption requirement. Until verifiable encryption is supported, these devices should not be used to store, process, or transmit Protected Health Information or other Moderate or High Risk Data without a formal exception. All Linux systems should still back up their files on a regular basis.

 

Get Started: Submit a temporary endpoint exception request (please allow five business days to process your request)

Servers and Applications

Server and application exceptions are reserved for situations where adherence to the Minimum Security Standards is not possible for technical reasons.

Exception requests are reviewed on a case-by-case basis, and it is important for you to provide as much information as possible to support your request, including a description of the compensating controls that will provide equivalent protection. Approved exceptions will be assigned an expiration date to ensure that the request is reviewed again later for validity and necessity.

These are examples of exception requests that are typically approved for servers and applications:

  • Required security tool is not supported by (up-to-date) OS or application
  • OS or application cannot be updated because of a critical dependency on version
  • No updates available for vendor supported system
  • System does not support password complexity requirements
  • Remote staff unable to attend Stanford Information Security Academy (SISA) training in person

Get Started: Submit a temporary server/application exception request (please allow 5 business days to process your request)

 

Last modified December 4, 2017