Minimum Security Standards exception requests are handled separately for endpoints (laptops, desktops, and mobile devices) versus servers and applications. These are the process and acceptance criteria for each.
Review the Endpoints section to learn whether you might qualify for an exception for your laptop, desktop, or mobile device and how to request an exception.
Endpoints
Endpoint security exceptions are allowed when adherence to the Minimum Security Standards is not possible for technical reasons. Exceptions are not granted on the basis of device ownership, concerns about system performance impact, or unlikely access to High Risk Data.
These are examples of exception requests that are typically approved for endpoints:
- A physically anchored desktop computer dedicated to directly controlling scientific research equipment that cannot be upgraded due to specialized software that is unavailable on an operating system that supports encryption.
- A computer running an OS that has been sunsetted (ie. Mac OS 10.14) that cannot be upgraded due to specialized software. Please be able to provide written justification from the vendor stating that the software requires the specific OS. These device should still have SWDE/VLRE installed.
- A classroom or kiosk computer that is re-imaged daily, physically secured, and does not copy email or other files in bulk locally.
Note: Because Android mobile devices, Windows phones, and Linux systems are currently not supported by MDM or Stanford Whole Disk Encryption (SWDE), they are temporarily exempt from the verifiable encryption requirement. Until verifiable encryption is supported, these devices should not be used to store, process, or transmit Protected Health Information or other Moderate or High Risk Data without a formal exception. All Linux systems should still back up their files on a regular basis.
How to submit an endpoint exception request
Because exception requests are reviewed on a case-by-case basis, it is important to provide as much information as possible to support your request, including a description of the compensating controls that will provide equivalent protection. Approved exceptions are assigned an expiration date to ensure that the request is reviewed later for validity and necessity.
Click the button to submit an endpoint exception request. Allow five business days to process your request.
Review the Servers and Applications section to learn whether you might qualify for an exception for your server or application and how to request an exception.
Servers and Applications
Server and application exceptions are allowed when adherence to the Minimum Security Standards is not possible for technical reasons.
Examples of Server and Application Exception Requests
These are examples of exception requests that are typically approved for servers and applications:
- A required security tool is not supported by an (up-to-date) OS or application.
- An OS or application cannot be updated because of a critical dependency on version.
- No updates are available for a vendor supported system.
- A system does not support password complexity requirements.
How to submit a server or application exception request
Because exception requests are reviewed on a case-by-case basis, it is important to provide as much information as possible to support your request, including a description of the compensating controls that will provide equivalent protection. Approved exceptions are assigned an expiration date to ensure that the request is reviewed later for validity and necessity.
Click the button to submit a server or application exception request. Allow five business days to process your request.