(1) The University of Queensland (UQ or the University) establishes Cyber Security Standards to ensure that cyber security controls are implemented consistently and comprehensively and to provide a basis for continual improvement. UQ’s cyber security standards are subject to rigorous review and approval processes to ensure they meet the business and technical requirements of the University, and are continually improved and updated as UQ’s requirements change. (2) This Procedure supports UQ’s Cyber Security Policy by providing the required process for effective management of exceptions to UQ’s cyber security standards to mitigate risk and satisfy business requirements at UQ. The Procedure applies to all consumers of UQ’s information and communication technology (ICT) resources and systems (UQ consumers) as defined in the Information and Communication Technology Policy. (3) A Cyber Security Standard is a document setting out a specification, procedure or guideline. The standard should clearly model the outcome it is designed to produce, so that it is relatively easy to determine compliance. The standard may include permissible variations to a general scheme to provide flexibility and accommodate a broad range of situations. (4) Requests for cyber security exceptions must be made in writing to UQ’s Security Architect in accordance with the requirements of this Procedure. (5) UQ’s Security Architect will review all requests for exceptions in consultation with the requester and other key stakeholders and subject matter experts. (6) Cyber security exceptions must be approved by the Chief Information Officer after considering advice and recommendations from UQ’s Security Architect. (7) An overview of UQ’s cyber security exception process is linked in the Appendix. (8) Requests for exceptions to cyber security standards must be submitted to UQ’s Security Architect (governance@its.uq.edu.au) and contain the following information: (9) In accordance with UQ’s Enterprise Risk Management Framework, a request for an exception must include a risk assessment to determine the level of risk that the University is exposed to if the exception is granted. The risk assessment will take into account any alternative cyber security controls that may be applicable to ensure the managed risk level remains within the University's risk appetite. (10) Requests for cyber security exceptions will be assessed by UQ’s Security Architect against the following criteria: (11) Cyber security exceptions will be granted on a time limited basis only and in alignment with UQ's Enterprise Risk Management Framework and risk appetite statement. Upon expiry of an exception, compliance with the cyber security standard is required or a new exception request must be submitted. (12) UQ’s Security Architect will review the request and assess whether: (13) UQ’s Security Architect will make a recommendation to the Chief Information Officer based on the above assessment. (14) The Chief Information Officer will review the recommendation from UQ’s Security Architect and will decide whether to grant or refuse the request for a cyber security exception. (15) The Information Technology Services Division will advise the requester of the Chief Information Officer's decision. (16) All cyber security exceptions that have been approved by the Chief Information Officer will be recorded in the University’s Cyber Security Exceptions Register, which will be reviewed annually by the UQ Security Architect and the Information Security Group. (17) UQ consumers are responsible for submitting requests for exceptions to UQ’s Security Architect in accordance with the process outlined in this Procedure. (18) The UQ Security Architect is responsible for: (19) The Chief Information Officer is responsible for approving exceptions to cyber security standards after considering advice from UQ’s Security Architect. (20) The Chief Information Officer will review this Procedure as required to ensure it aligns with UQ’s Cyber Security Strategy and industry best practice. (21) The UQ Security Architect is responsible for reporting annually to the Chief Information Officer on information collected and held in the Cyber Security Exceptions Register. (22) The following diagram provides an overview of UQ’s cyber security exception process. (23) Related policies include: (24) A request for an exemption to the Cyber Security Policy can be submitted through the Cyber Security Risk and Assurance Request Form.Cyber Security Exceptions Procedure
Section 1 - Purpose and Scope
Context
Section 2 - Process and Key Controls
Section 3 - Key Requirements
Requesting an Exception
Risk Assessment
Criteria for Granting an Exception
Review and Assessment of Exception Request
Approval
Cyber Security Exceptions Register
Section 4 - Roles, Responsibilities and Accountabilities
UQ Consumers
UQ Security Architect
Chief Information Officer
Section 5 - Monitoring, Review and Assurance
Section 6 - Recording and Reporting
Section 7 - Appendix
Cyber Security Exception Procedure
Related Policies
Request for Exemption
View current
This is the current version of the approved document. You can provide feedback on this document to the Enquiries Contact - refer to the Status and Details tab from the menu bar above.
See linked diagram: Cyber Security Exceptions Procedure Process.