Dublin Institute of Technology

Size: px

Start display at page:

Download "Dublin Institute of Technology"

Patricia Phelps
5 years ago
Views:

1 Dublin Institute of Technology Information Security Exception Policy Version 1.0

2 Document Location Revision History Date of this revision: June 2017 Date of next review: June 2018 Version Number/ Revision Date Summary of Changes Author Revision Number 0.1 Oct 2017 Initial draft E Dunne, R Dunne Approval This document requires the following approvals: Name of approval body Date SLT Campus Development sub-committee 25 Jul 2017 This policy shall be reviewed and updated on an annual basis. This policy should be read in conjunction with the Institute s Information Security Policy and Acceptable Usage Policy.

3 Table of Contents 1. OVERVIEW PURPOSE ROLES AND RESPONSIBILITIES SCOPE SUPPORTING STANDARDS & PROCEDURES Expectation Process PROCESS Exception Process Form... 6

4 1. OVERVIEW All information technology resources connected to the Dublin Institute of Technology s network are expected to comply with information security policies and standards, which are designed to establish the controls necessary to protect Institute information assets. A control deficiency in one business process or IT resource can jeopardize other processes or resources. This is because erroneous data may be inherited, privacy compromised, or a conduit for an intrusion into DIT systems may be created. However, there may be a case where compliance cannot be achieved for a variety of reasons. In such cases, an exception must be documented and approved using this process. 2. PURPOSE This process provides a method of obtaining an exception to compliance with a published security standard or procedure. 3. ROLES AND RESPONSIBILITIES The following roles and responsibilities apply in relation to this process: SLT Campus Development Sub-committee: To review and approve the policy on a periodic basis Office of the President To ensure the Policy is reviewed and approved by the Governing Body ICT Services / College Technical staff: To adhere to the standards defined in this policy To consult as appropriate with members of the Leadership Teams To liaise with the Corporate Services on information received in relation to potential breaches of the policy To ensure the appropriate standards and procedures are in place to support the policy Line Manager / Head of School To define and implement standards and procedures which enforce the policy. To oversee, in conjunction with Data Owners, compliance with the policy and supporting standards and procedures. To inform the President / Registrar of suspected non-compliance and/or suspected breaches of the policy and supporting standards and procedures. Corporate Services and Academic Affairs & Registrar: To follow relevant and agreed disciplinary procedures when informed of a potential breach of the policy (Refer to Section 7). To manage the disciplinary process. Staff / Students / External Parties: To adhere to policy statements in this document. To report suspected breaches of policy to their Head of School or the ICT Services Desk

5 If you have any queries on the contents of this policy, please contact 4. SCOPE This process applies to all published information security standards and procedures. 5. SUPPORTING STANDARDS & PROCEDURES The Policy should be read in conjunction with the following Institute policies and Users should ensure compliance with these policies in addition to this policy: DIT Data Protection Policy DIT Record Retention Schedules - ules.pdf DIT IT Security Policies at including: Information Security Server Password Patching 6. EXPECTATION PROCESS An exception MAY be granted by the DIT Information Security Officer for non-compliance with a standard resulting from: Implementation of a solution with equivalent or superior protection. Scheduled retirement of a legacy system within 12 months. Inability to implement the standard due to some limitation, or for valid operational issues. Exceptions are granted for a specific period of time, not to exceed one year from date of approval. Exceptions are reviewed on a case-by-case basis, and their approval is not automatic. 7. PROCESS The completed Exception Request Form, signed by the requestor and their line manager, must be submitted to the Information Security Officer infosec@dit.ie The Exception Request must include:

6 Description of the non-compliance Anticipated length of non-compliance (1-year maximum) Proposed assessment of risk associated with non-compliance Proposed plan for managing the risk associated with non-compliance Proposed metrics for evaluating the success of risk management (if risk is significant) Proposed review date to evaluate progress toward compliance Endorsement of the request by the appropriate sponsor. If the non-compliance is due to a superior solution, an exception will normally be granted until the published standard or procedure can be revised to include the new solution. An exception request must still be submitted. 8. EXCEPTION PROCESS FORM To download the form in Microsoft Word format, go to

7 REQUESTOR CONTACT INFORMATION Requestor name DIT address DIT telephone College / Directorate DIT IT Security Exception Request form EXCEPTION REQUEST DETAILS Describe your exception request (i.e. which policy or standard in the DIT IT Security policies cannot be met) Outline why you are not in a position to comply with the DIT IT Security policies. Include any resource implications, system limitations, business needs, etc. Please note any benefits to DIT associated with accepting this risk Please list any associated hardware or software products relevant to this exception request

8 If your exception request is granted, describe any compensating controls to minimise any additional risks caused by not meeting the specific policy or standard referenced above exception request (i.e. which policy or standard in the DIT IT Security policies cannot be met) APPROVALS By signing below, as the information resource owner, I understand and accept responsibility for any risks related to the deployment or continued use of the systems/processes listed in this request. Upon approval of this request, I agree to carry out the compensating controls outlined in this request Requestor Name & title Signature Date Line Manager IT SECURITY REVIEW Recommendations/Comments Reviewed and approved by Name & Title Signature Date

Associate IT Access Control Policy

Associate IT Access Control Policy Effective from 09 July 2015 Version Number: 1.0 Author: Information Security Officer, GSU & Resolution Manager, IT Services Document Control Information Status and reason