Stanford Seal     Information Security Risk Acceptance - SU# _____


Regarding Administrative Guide Memo #______, or Information Security Standard _____________________________, dealing with the topic of _________________



I understand that compliance with Stanford University information security policies and standards is expected for all organizational units (e.g. schools and departments), information systems, and communication systems.  I have read the above-named policy and I believe that the control(s) described therein should not be required for the following organizational unit, information system, or communication system, _____________________________________________________________________________________ _______________________________________________________________________________________________________________________________________.


I understand that an exception to information security policies is appropriate only when compliance would: (a) adversely affect the accomplishment of Stanford University business, or (b) cause an adverse financial impact that would not be offset by the reduced risk occasioned by compliance.  


An exception to this policy is warranted because:




A written assessment has been prepared of the risks associated with a policy exception.  This risk assessment has been jointly prepared with the assistance of Information Security Office and Internal Audit Department and has been reviewed by the Data Governance Board.


I, as the responsible university approver, accept responsibility for the risks associated with this exception to information security policies. I understand that the risks include potential loss of information and acceptance of the personal and departmental sanctions described in Administrative Guide Memo #63, Information Security.  I also understand that this exception may be revoked and will be subject to Internal Audit's annual follow-up procedures.





Signature of Requestor                               Date






Printed name of Responsible University Approver




Responsible University Approver                          Date




Data Governance Board                                            Date




Data Owner                                                               Date