SP 6-10m – Exception Management
Colorado Community College System / System Procedure
SP 6-10m
APPROVED: January 28, 2021
EFFECTIVE: January 28, 2021
REFERENCE: Board Policy (BP) 6-10, Cyber Security Policy
APPROVED:
/ Joe Garcia /
Joseph A. Garcia
Chancellor
BASIS
This procedure documents Colorado Community College System and its Colleges’ (“CCCS”) requirements for the management of exceptions to CCCS Cyber Security procedures.
APPLICATION
This procedure applies to employees, personnel affiliated via third party contracts, and volunteers that have access to Information Systems and Assets that are owned or leased by CCCS.
DEFINITION
Exception
Exception is defined as any deviation to the existing CCCS information security procedures.
PROCEDURE
The System Chancellor delegates to the System Vice Chancellor for Information Technology (“IT”) responsibility for oversight of compliance with and implementation of this procedure. Further, the System Chancellor delegates to the College Presidents the responsibility to implement and compliance with this procedure at their respective institution.
CCCS understands that situations may arise where deviations from standard business and Information Technology processes must occur. Deviation from standard processes is discouraged; however, the deviation may be provided an exception to CCCS procedure requirements given that the alternative presents a reasonable, justifiable business case for a procedure exception, resources are sufficient to properly implement and maintain the alternative process, the process outlined in this and other related documents is followed, and other CCCS procedures and process are upheld.
- Exceptions to CCCS procedures must be formally requested with a justifiable business case, and approved by the System IT Department (“System IT”) prior to implementation.
- Procedure exceptions must be formally documented within System IT or the College IT Department (“College IT”) ticketing system.
- The requesting party shall develop remediation plans to address the underlying cause of the procedure exception.
- Remediation plans shall be implemented and tracked by System IT or College IT for completion.
- Procedure exceptions, including the business case and remediation plans, must be reviewed and approved annually by the CCCS Manager of Information Security and the College’s IT Director.
- Exceptions to CCCS procedures shall not be given for an initial period of more than 12 months.
- Procedure exceptions shall be re-assessed to determine if the exception needs to be extended longer than 12 months.
REVISING THIS PROCEDURE
CCCS reserves the right to change any provision or requirement of this procedure at any time and the change shall become effective immediately.