Skip to main content

Cornell University

Security Exception

On This Page

A Security Exception exists when information technology does not meet the security requirements in Cornell IT Security policies. Exceptions can exist for devices, applications, systems, and business or technical reasons. Cornell policy requires that the person(s) responsible or accountable for security must take the appropriate steps to mitigate risks (see Policy 5.10, Information Security). Both the Exception and the mitigation must be documented and are subject to audit. The goal is to reduce the overall exposure of the university to technology security risks. This service is provided by the Cornell IT Security Office (ITSO).

When to Ask For a Security Exception

If you are responsible for a device, application, or other IT resource that does not meet the "Baseline Security Requirements" defined in Policy 5.10, Information Security, then you must request a Security Exception.

Request a Security Exception

The following electronic process replaces the previous paper procedure. Learn how to request a security exception.



Complete Initial Exception request form

Fill out a new request form at the ITSO's SharePoint site.

Add Devices to Exception

If you indicated there are devices associated with your Security Exception, after saving you will be redirected to continue editing your Exception, and the Device tab will become available. Once you have finished, you will need to complete the SharePoint Task sent to you by email to indicate you have completed the addition of all associated devices.

Security Exception Approval

After indicating that the associated devices have been added, the Security Exception will proceed through the approval process. The Security Exception will need to be approved by the Security Liaison for the department, the IT Director for the department, and the CISO or delegate. If the Security Exception is submitted by the Security Liaison or IT Director, approval will not be needed by these individuals.

Additional Information Requested

At any step of the approval process, the approver can request additional information from the previous approver.

Yearly Review

All Security Exceptions must be reviewed on a yearly basis by the Security Liaison, IT Director, and CISO or delegate.


To share feedback about this page or request support, log in with your NetID

At Cornell we value your privacy. To view
our university's privacy practices, including
information use and third parties, visit University Privacy.