Skip to main content

Cornell University

IT@Cornell

Security Exception

""

The Security Exceptions App Is Retired

  • IMPORTANT! If you have a new exception that involves High-Risk Data:
    1. Draft an email with the specific University IT Security Policies or ITSO Practices for which you want an exception. 
      Include the Business Justification and the Compensating Safeguards
    2. Review it with your Security Liaison.
    3. Email to itsecurity@cornell.edu for immediate review
       
  • Why is the site retired? The Microsoft technology that powered the Security Exception app was retired (SharePoint 2013 Workflow).
  • Is there a replacement? A replacement is being developed. The launch date is expected before the end of FY26.
  • Can I see or get my exception data? This site is now read-only.  While the forms still display as of 4/15, we expect them to stop working too.
    If you need access to information in your Exception, and you are having trouble seeing it, please send an email to itsecurity@cornell.edu 

Thank you for your patience as we complete work on the new site and app. 

A Security Exception exists when information technology does not meet the security requirements in Cornell IT Security policies. Exceptions can exist for devices, applications, systems, and business or technical reasons. 

Cornell policy requires that the person(s) responsible or accountable for security must take the appropriate steps to mitigate risks (see Policy 5.10, Information Security). Both the Exception and the mitigation must be documented and are subject to audit. The goal is to reduce the overall exposure of the university to technology security risks. This service is provided by the Cornell IT Security Office (ITSO).

When to Ask For a Security Exception

If you are responsible for a device, application, or other IT resource that does not meet the "Baseline Security Requirements" defined in Policy 5.10, Information Security, then you must request a Security Exception.

Request a Security Exception

The following electronic process replaces the previous paper procedure. Learn how to request a security exception.

ActionDescription
Complete Initial Exception request formNew app coming soon
Add Devices to ExceptionIf you indicated there are devices associated with your Security Exception, after saving you will be redirected to continue editing your Exception, and the Device tab will become available. Once you have finished, you will need to complete the SharePoint Task sent to you by email to indicate you have completed the addition of all associated devices.
Security Exception ApprovalAfter indicating that the associated devices have been added, the Security Exception will proceed through the approval process. The Security Exception will need to be approved by the Security Liaison for the department, the IT Director for the department, and the CISO or delegate. If the Security Exception is submitted by the Security Liaison or IT Director, approval will not be needed by these individuals.
Additional Information RequestedAt any step of the approval process, the approver can request additional information from the previous approver.
Yearly ReviewAll Security Exceptions must be reviewed on a yearly basis by the Security Liaison, IT Director, and CISO or delegate.

 

Service Details:

Summary:

A replacement for a new security exception application is in development. The technology driving the previous app was retired by the vendor. Interim steps for High-Risk Data can be found on this page.

Comments?

To share feedback about this page or request support, log in with your NetID

At Cornell we value your privacy. To view
our university's privacy practices, including
information use and third parties, visit University Privacy.