According to TAMU SAP 29.01.03.M0.01, the implementation of information security controls as detailed in the Texas A&M Information Security Control Catalog is mandatory for all Texas A&M University information systems. Any exception to these security controls, or to any Texas A&M University Rules or Standard Administrative Procedures that relate to information resources must be requested by the information resource owner, and approved by the Chief Information Security Officer. The exception process is governed by TAMU SAP 29.01.03.M0.03.
To submit an exception request for any IT policy, please submit the online IT Policy Exception Form. You will be asked for the following information:
- Business and technical contacts
- Information regarding the specific policy or control for which you are seeking the exception
- Information about the information resources relevant to the exception (i.e., DNS names of each machine in the system)
- Business purpose for the policy exception
- The business impact if the exception is denied
- Mitigation against risk (compensating controls)
Once submitted, the exception request will be reviewed by the Risk Management team, and will then be routed to the unit head for approval (college dean or division vice president). Once the unit head has approved the request, it will be routed to the university Chief Information Security Officer for final approval.
If you have questions, email it-security@tamu.edu for guidance.