The time to complete a Security Exception will vary. Approval is required from the Security Liaison of the department, the IT Director of the department, and the Chief Information Security Officer (CISO). This may vary depending on the individual who submits the Security Exception. A Security Liaison will not need to approve their own request for a Security Exception.

The IT Director, CISO, or delegate may request additional information prior to approving the Security Exception. This may include clarification of information already provided or additional compensating controls for the system in question.