Procedures

Cyber Security Exceptions - Procedure

Printer-friendly version
Body

1.0   Purpose and Scope

The University of Queensland (UQ or the University) establishes cyber security standards to ensure that cyber security controls are implemented consistently and comprehensively and to provide a basis for continual improvement. UQ’s cyber security standards are subject to rigorous review and approval processes to ensure they meet the business and technical requirements of the University, and are continually improved and updated as UQ’s requirements change.

This procedure supports UQ’s Cyber Security Policy by providing the required process for effective management of exceptions to UQ’s cyber security standards to mitigate risk and satisfy business requirements at UQ. The procedure applies to all consumers of UQ’s information and communication technology (ICT) resources and systems (UQ consumers) as defined in the Information and Communication Technology Policy.

1.1   Context

A cyber security standard is a document setting out a specification, procedure or guideline. The standard should clearly model the outcome it is designed to produce, so that it is relatively easy to determine compliance. The standard may include permissible variations to a general scheme to provide flexibility and accommodate a broad range of situations.

2.0   Process and Key Controls

  1. Requests for cyber security exceptions must be made in writing to UQ’s Security Architect in accordance with the requirements of this procedure.
  2. UQ’s Security Architect will review all requests for exceptions in consultation with the requester and other key stakeholders and subject matter experts.
  3. Cyber security exceptions must be approved by the Chief Information Officer after considering advice and recommendations from UQ’s Security Architect.

An overview of UQ’s cyber security exception process is set out in section 7.1.

3.0   Key Requirements

3.1   Requesting an Exception

Requests for exceptions to cyber security standards must be submitted to UQ’s Security Architect (governance@its.uq.edu.au) and contain the following information: 

  • A description of the instance.
  • A description of the required exception.
  • The reason the exception is required.
  • How long the exception is needed and a list of actions with time frames to implement compliance before the exception expires.
  • A completed risk assessment, including a description of an alternative cyber security control (if one is proposed).

3.1.1   Risk Assessment

In accordance with UQ’s Enterprise Risk Management Framework, a request for an exception must include a risk assessment to determine the level of risk that the University is exposed to if the exception is granted. The risk assessment will take into account any alternative cyber security controls that may be applicable to ensure the managed risk level remains within the University's risk appetite.

3.2   Criteria for Granting an Exception

Requests for cyber security exceptions will be assessed by UQ’s Security Architect against the following criteria:

  • Any adverse impact of applying the standard and the frequency of similar instances requiring an exception.
  • The length of time the exception is required for.
  • The proposed alternative control to provide acceptable risk mitigation.
  • The net benefit of granting an exception to the standard.

Cyber security exceptions will be granted on a time limited basis only and in alignment with UQ's Enterprise Risk Management Framework and risk appetite statement. Upon expiry of an exception, compliance with the cyber security standard is required or a new exception request must be submitted.

3.3   Review and Assessment of Exception Request

UQ’s Security Architect will review the request and assess whether:

  1. the request satisfies the criteria for granting an exception;
  2. the risk assessment identifies the relevant risks and controls to ensure the managed risk level is within UQ’s risk appetite; and
  3. the exception demonstrates a clear benefit to the University.

UQ’s Security Architect will make a recommendation to the Chief Information Officer based on the above assessment.

3.4   Approval

The Chief Information Officer will review the recommendation from UQ’s Security Architect and will decide whether to grant or refuse the request for a cyber security exception.

The Information Technology Services Division will advise the requester of the Chief Information Officer’s decision.

3.5   Cyber Security Exceptions Register

All cyber security exceptions that have been approved by the Chief Information Officer will be recorded in the University’s Cyber Security Exceptions Register, which will be reviewed annually by the UQ Security Architect and the Information Security Group.

4.0   Roles, Responsibilities and Accountabilities

4.1   UQ consumers

UQ consumers are responsible for submitting requests for exceptions to UQ’s Security Architect in accordance with the process outlined in this procedure.

4.2   UQ Security Architect

The UQ Security Architect is responsible for:

  • Reviewing requests for exceptions in consultation with the requester, relevant stakeholders and subject matter experts.
  • Managing cyber security exceptions including processing requests for exceptions in accordance with this procedure.
  • Maintaining the Cyber Security Exceptions Register.
  • Ensuring the University’s cyber security standards are well maintained.

4.3   Chief Information Officer

The Chief Information Officer is responsible for approving exceptions to cyber security standards after considering advice from UQ’s Security Architect.

5.0   Monitoring, Review and Assurance

The Chief Information Officer will review this procedure as required to ensure it aligns with UQ’s Cyber Security Strategy and industry best practice.

6.0   Recording and Reporting

The UQ Security Architect is responsible for reporting annually to the Chief Information Officer on information collected and held in the Cyber Security Exceptions Register.

7.0   Appendix

7.1   Cyber Security Exception Procedure

The following diagram provides an overview of UQ’s cyber security exception process.

7.2   Related Policies

Cyber Security Policy

Information and Communication Technology Policy

Custodians
Chief Information Officer Mr Rob Moffatt
Custodians
Chief Information Officer Mr Rob Moffatt