Minimum Security Standards exception requests are handled separately for endpoints (laptops, desktops, and mobile devices) vs servers and applications. Below we explain the process and acceptance criteria for each.
Endpoints (Laptops, Desktops, and Mobile Devices)
In light of incidents involving endpoints with Minimum Security Standards exceptions, the criteria for granting exceptions have been narrowed as of May 2017. These criteria are being applied to both new requests as well as renewals.
Endpoint security exceptions are reserved for situations where adherence to the Minimum Security Standards is not possible for technical reasons. Ownership of the device (personally vs. Stanford owned), system performance impact, and unlikely exposure to High Risk Data are not grounds for exceptions.
Exception requests are reviewed on a case-by-case basis, and it is important for you to provide as much information as possible to support your request, including a description of the compensating controls that will provide equivalent protection. Approved exceptions will be assigned an expiration date to ensure that the request is reviewed again later for validity and necessity.
Below are examples of exception requests that are typically approved for endpoints:
- Physically anchored desktop computer dedicated to directly controlling scientific research equipment that cannot be upgraded due to specialized software that is unavailable on an operating system that supports encryption.
- Classroom or kiosk computer that is re-imaged daily, physically secured, and does not copy email or other files in bulk locally.
- Android 7 device (which currently prevents compliance reporting via MyDevices) with Stanford MDM installed and verified.
Note: BlackBerry mobile devices, Windows Phones, and Linux systems are currently not supported by MDM or SWDE, and so are temporarily exempt from the verifiable encryption requirement. Until verifiable encryption is supported, these devices should not be used to store, process, or transmit Protected Health Information or other Moderate or High Risk Data without a formal exception. All Linux systems should still back up their files on a regular basis.
Get Started: Submit a temporary endpoint exception request (please allow five business days for the processing of your request)
Servers and Applications
Server and application exceptions are reserved for situations where adherence to the Minimum Security Standards is not possible for technical reasons.
Exception requests are reviewed on a case-by-case basis, and it is important for you to provide as much information as possible to support your request, including a description of the compensating controls that will provide equivalent protection. Approved exceptions will be assigned an expiration date to ensure that the request is reviewed again later for validity and necessity.
Below are examples of exception requests that are typically approved for servers and applications:
- Required security tool is not supported by (up-to-date) OS or application
- OS or application cannot be updated because of a critical dependency on version
- No updates available for vendor supported system
- System doesn't support password complexity requirements
- Remote staff unable to attend SISA training in person
Get Started: Submit a temporary server/application exception request (please allow 5 business days for the processing of your request)