SP 6-10m – Exception Management

Colorado Community College System / System Procedure

SP 6-10m

APPROVED: January 28, 2021
EFFECTIVE: January 28, 2021

REFERENCE: Board Policy (BP) 6-10, Cyber Security Policy


/ Joe Garcia /
Joseph A. Garcia


This procedure documents Colorado Community College System and its Colleges’ (“CCCS”) requirements for the management of exceptions to CCCS Cyber Security procedures.


This procedure applies to employees, personnel affiliated via third party contracts, and volunteers that have access to Information Systems and Assets that are owned or leased by CCCS.



Exception is defined as any deviation to the existing CCCS information security procedures.


The System Chancellor delegates to the System Vice Chancellor for Information Technology (“IT”) responsibility for oversight of compliance with and implementation of this procedure. Further, the System Chancellor delegates to the College Presidents the responsibility to implement and compliance with this procedure at their respective institution.

CCCS understands that situations may arise where deviations from standard business and Information Technology processes must occur. Deviation from standard processes is discouraged; however, the deviation may be provided an exception to CCCS procedure requirements given that the alternative presents a reasonable, justifiable business case for a procedure exception, resources are sufficient to properly implement and maintain the alternative process, the process outlined in this and other related documents is followed, and other CCCS procedures and process are upheld.

  • Exceptions to CCCS procedures must be formally requested with a justifiable business case, and approved by the System IT Department (“System IT”) prior to implementation.
  • Procedure exceptions must be formally documented within System IT or the College IT Department (“College IT”) ticketing system.
  • The requesting party shall develop remediation plans to address the underlying cause of the procedure exception.
  • Remediation plans shall be implemented and tracked by System IT or College IT for completion.
  • Procedure exceptions, including the business case and remediation plans, must be reviewed and approved annually by the CCCS Manager of Information Security and the College’s IT Director.
  • Exceptions to CCCS procedures shall not be given for an initial period of more than 12 months.
  • Procedure exceptions shall be re-assessed to determine if the exception needs to be extended longer than 12 months.


CCCS reserves the right to change any provision or requirement of this procedure at any time and the change shall become effective immediately.