July 10, 2024
About Variances and Exemptions
Compliance with published MGB Digital Information Security (“DIS”) Policies and Standards is the obligation of all employees and particularly for owners of Information Technology Resources.
What is a Variance?
The purpose of a Variance is to allow temporary use of a technology that deviates from an MGB DIS Policy or Standard. A Variance is expected to be in place only for the period of time required to remediate the deviation, but never for longer than one year.
Information security Variances may also be required when an individual or entity seeks to utilize technology in a manner that creates an organizational risk that must be mitigated, even if a policy, standard or procedure directly addressing the issue has not been defined.
EISS-5.6 Information Security Program Standards, Section 5
EISS-8b.7 IT Asset Management Standards for Risk Management
What is an Exemption?
The purpose of an Exemption is to allow extended use of a technology when that technology cannot meet the requirements of an MGB DIS Policy or Standard. It is expected that when an Exemption is granted, it will need to remain in place for as long as the operating conditions remain. However, the requestor must still annually certify that the same conditions exist under which the original Exemption was ALLOWED. It is also expected that the requestor will make diligent efforts to eliminate the need for the Exemption by:
- Seeking to replace the non-compliant technology,
- Work with the technology’s manufacturer to bring the technology into compliance, or
- Segment the technology in such a way as to reduce its risk to the enterprise to an acceptable level.
S-5.6 Information Security Program Standards, Section 5
Who Decides Variances and Exemptions?
In most cases, the MGB DIS Risk Assessment Team is delegated by the Chief Information Security Officer to manage, review and determine Variances and Exemptions. Certain Variances or Exemptions may be managed, reviewed and determined by the MGB Site Information Security Officers & Research Data Protection Team, by the Chief Information and Digital Officer (CIDO) or Chief Information Officer (CIO).
Standard of Review
Information security Variances or Exemption requests will only be ALLOWED if the review process determines that the requestor:
- Cannot meet an MGB DIS Policy or Standard due to legitimate technical or documented business constraints.
- Has sufficiently mitigated, or planned the mitigation of, the risk associated with the deviation(s) from MGB DIS Policy or Standard.
- Could not have avoided the deviation from MGB Digital Information Security Policy or Standard using reasonable efforts at compliance; and
- Where applicable, has developed a definitive remediation plan with achievable and timely completion milestones.
MGB Digital Information Security evaluates Variance and Exemption requests against internally developed controls, controls specified by the National Institute of Standards and Technology (NIST) and other security best practices.
Effect of Decision
An “ALLOWED” Variance or Exemption constitutes MGB’s Digital Information Security's acceptance, on behalf of the enterprise, of the cybersecurity risk presented by the deviation from an existing MGB DIS Policy or Standard.
ALLOWED Variances are subject to any mitigations, remediations or compensating controls deemed necessary. Variances are, by definition, temporary and never exceed one (1) year’s duration. After the Variance expires, the underlying issue should be fully remediated.
A Variance request that is “NOT ALLOWED” requires remediation of the deviation from existing MGB DIS Policy or Standard at the earliest possible date and constitutes MGB’s Digital Information Security's refusal to accept the cybersecurity risk presented.
Information security Variances may also be required when an individual or entity seeks to utilize technology in a manner that creates an organizational risk that must be mitigated. This can occur even if a policy, standard or procedure directly addressing the issue has not been defined.
Extensions
Variances and Exemptions may be extended or re-certified upon submission of a new request and re-review. Extension requests are reviewed and determined, in each case, as a new request regardless of whether the original request was “ALLOWED”.
How to Submit a Cybersecurity Variance or Exemption Request
Request a Variance via the Digital Service Hub
-
- Go to the Digital Service Hub Website
- Select Make a Request
- Select ISPO Cybersecurity Variance Request
- Fill out the form
- Once complete, click Order Now.