Yale's Minimum Security Standards (MSS) are baseline requirements for securing Yale IT Systems. The MSS ensure we build and maintain secure IT Systems based on the risk they carry.
Sometimes, IT Systems have valid reasons for not meeting one or more of these standards. We have exception requests to help reduce risk when these situations occur.
Note: Do not use this form to request administrative rights on your computer. Please use the Request Local Administrative Access form instead.
What is an exception request?
An exception request is for when an IT System cannot meet one or more of Yale's MSS. During the request process, the Information Security Office (ISO) works to:
• Identify the risk associated with not meeting the MSS.
• Propose solutions to mitigate the risk that meet the needs of the IT System.
This process protects Yale's data and IT Systems. It also ensures compliance with external regulatory requirements (e.g. HIPAA, PCI, FERPA).
When should I request an exception?
Request an exception whenever an IT System cannot meet a Minimum Security Standard. We ask that you provide a business or academic reason for why the standard cannot be met.
An exception request can be submitted by anyone with a Yale Net ID. Exception requests are required for an IT System that cannot meet a security policy or MSS. This includes IT Systems hosted by a third party (e.g. cloud services).
The Exception Request form is not for requesting administrative rights on your computer. Please use the Request Local Administrative Access form instead.
Can I submit an exception request for a different Yale Policy (not the MSS)?
You can submit an exception to the ISO for any security-related policy or standard. Our policies and standards page includes a complete list of these policies.
How is an exception granted?
Exception requests are submitted to the ISO. Our team evaluates the risk of each request. We then provide recommendations for mitigating that risk. We call these recommendations "compensating controls."
Any risk we cannot mitigate is called "residual risk." We raise any residual risk to the appropriate level of University leadership. Leadership will be responsible for approving the exception and accepting the residual risk.
We will notify you of the results of your exception request by email. This includes compensating controls to apply to your IT System. We recommend working with your IT Support Provider to apply compensating controls.