Technology Security Exception

Service Description

This catalog item allows you to request a technology security exception for High-Protection Obligation (HPO) assets, as defined under the UNC Standard on Information Technology Vulnerability Management or the UNC Standard on Information Security Controls (MSS). 

When to Submit an Exception

You must request an exception if a vulnerability remains unresolved beyond the timeframes defined in the Vulnerability Management Standard—even if remediation is already planned or when a control in the MSS may be impossible to apply. An exception is required when: 

  • System not expected to be addressed within 90 days: For non-Internet-accessible HPO systems or systems with high-level external obligations. 

  • System not expected to be addressed within 30 days: For Internet-accessible HPO systems or those with high-level external obligations. 

  • A control in this standard may be impossible to apply and no available alternate controls exist 

Note: If a unit chooses to accept the elevated risk, the designated responsible person must formally request risk acceptance. 

Decision Process

The Information Security Office (ISO) will review your request and either approve or reject it based on the provided documentation and any additional information gathered during the evaluation. 

You will be notified of the decision via the same method used to submit your request (ticket or email). 

The SLA for a decision is 5 business days. 

Exception Expiration and Review

When an approved exception reaches its expiration date, the Information Security Office (ISO) will initiate a review to: 

  • Confirm whether the planned remediation was successfully completed. 

  • Assess if an extension is needed due to unforeseen circumstances or newly discovered issues. 

  • Evaluate whether additional mitigation measures or compensating controls can be applied to sustain or further reduce the risk level. 

  

Submission via Email

Submitting security exception requests through the ticketing system is the recommended and standard method. In rare and exceptional cases, if you need to submit your request via email as a workaround then: 

  • Download and complete the Technology Security Exception Form Template Word document available in the Attachments section of this page, and email it to security@unc.edu.  

Audience

IT Employees and other "Responsible Persons" under the MSS

Documentation

User/Customer Responsibilities

You must submit any relevant supporting documentation promptly to support the review process.

If your request if for multiple assets,  you are also required to send the Multiple Assets security Exception Template sheet available in the Attachments section of this page.