Policy Exception

What is this service?

Vanderbilt University has approved information security policies in place to safeguard the university, its people, and its computing resources from cyber threats. These information security policies outline responsibilities you must adhere to when utilizing university IT assets.

However, the university recognizes that there may be unique/critical business needs or academic pursuits that cannot comply with a particular policy thus necessitating the need for this service to provide exception to the policy.

When do I need the service?

If you are unable to comply with an approved policy that is in effect. However, you should first exhaust all options for compliance before seeking an exception. Once all options for compliance are exhausted, an exception to an approved information security policy or standard may be considered for these cases:  

  • On a temporary basis, where immediate compliance would disrupt operations critical to the university’s mission.
  • On a temporary basis, where an IT asset cannot support the compliant solution.
  • Where an alternative compensating control would provide equivalent protection. 
  • Where a legacy system is scheduled for retirement and compliance is not practical.

How to request the service

Submit a ticket to the Office of Cybersecurity.  

The CISO or a delegate will assess the details and grant or deny according the level of risk introduced.  The length of the assessment will depend on the nature of the request and completeness of details provided. Please be thorough and complete in your answers to prevent delays. 

  • Granted exceptions: If granted, the requesting individual must follow all stipulations outlined by Cybersecurity. This may include putting in place compensating measures or processes to keep the level of risk acceptable.
  • Denied exceptions: If denied, the requesting individual is responsible for coming into compliance.


  • How long will my request remain granted?

    Granted exceptions will be valid for a period in keeping with the level of risk, but no more than 1 year. Higher risk exceptions may have to renew more frequently than low ones. After it has expired, the requesting individual must come into compliance or submit a request for renewal.

question icon

Not sure how to start?

Get in touch if you don’t know where to begin, you can’t find the guidance needed on the website, or if you just want to learn more. The Office of Cybersecurity has subject matter expertise and is here for Vanderbilt community to discuss security questions or concerns.

Get Security Help