Skip to content Skip to site navigation Skip to service navigation

Request a Compliance Exception

Minimum Security Standards exception requests are handled separately for endpoints (laptops, desktops, and mobile devices) versus servers and applications. These are the process and acceptance criteria for each.

Review the Endpoints section to learn whether you might qualify for an exception for your laptop, desktop, or mobile device and how to request an exception.

Endpoints

Endpoint security exceptions are allowed when adherence to the Minimum Security Standards is not possible for technical reasons. Exceptions are not allowed if you own an endpoint used to access the Stanford network, you are concerned about the impact of Minimum Security Standards on an endpoint's system performance, or you believe that the endpoint is unlikely to be used to access High Risk Data.

Examples of endpoint exception requests

As of May 2017, the criteria for granting new exceptions and renewing exceptions have been narrowed. These are examples of exception requests that are typically approved for endpoints:

  • A physically anchored desktop computer dedicated to directly controlling scientific research equipment that cannot be upgraded due to specialized software that is unavailable on an operating system that supports encryption.
  • A classroom or kiosk computer that is re-imaged daily, physically secured, and does not copy email or other files in bulk locally.
  • An Android 7 device (which currently prevents compliance reporting via MyDevices) with Stanford Mobile Device Management (MDM) installed and verified.

Note: Because BlackBerry mobile devices, Windows phones, and Linux systems are currently not supported by MDM or  Stanford Whole Disk Encryption (SWDE), they are temporarily exempt from the verifiable encryption requirement. Until verifiable encryption is supported, these devices should not be used to store, process, or transmit Protected Health Information or other Moderate or High Risk Data without a formal exception. All Linux systems should still back up their files on a regular basis.

How to submit an endpoint exception request

Because exception requests are reviewed on a case-by-case basis, it is important to provide as much information as possible to support your request, including a description of the compensating controls that will provide equivalent protection. Approved exceptions are assigned an expiration date to ensure that the request is reviewed later for validity and necessity.

Click the button to submit an endpoint exception request. Allow five business days to process your request.

Submit a temporary
endpoint exception request

Review the Servers and Applications section to learn whether you might qualify for an exception for your server or application and how to request an exception.

Servers and Applications

Server and application exceptions are allowed when adherence to the Minimum Security Standards is not possible for technical reasons.

Examples of Server and Application Exception Requests

These are examples of exception requests that are typically approved for servers and applications:

  • A required security tool is not supported by an (up-to-date) OS or application.
  • An OS or application cannot be updated because of a critical dependency on version.
  • No updates are available for a vendor supported system.
  • A system does not support password complexity requirements.

How to submit a server or application exception request

Because exception requests are reviewed on a case-by-case basis, it is important to provide as much information as possible to support your request, including a description of the compensating controls that will provide equivalent protection. Approved exceptions are assigned an expiration date to ensure that the request is reviewed later for validity and necessity.

Click the button to submit a server or application exception request. Allow five business days to process your request.

Submit a temporary
server/application exception request

Last modified January 12, 2018