September 7, 2023
HOWTO: Request an ISPO Cybersecurity Variance
About Variances
The Information Security Risk Management Team (ISRMT) at Mass General Brigham Information Security and Privacy Office is the team responsible for managing and reviewing the variance process.
A variance request is a service designed to evaluate the cybersecurity risk of temporarily deviating from an existing Mass General Brigham policy or standard.
Information security variance requests will only be granted if the review process determines that the requestor:
- cannot meet a privacy or information security policy or standard explicitly, as stated, due to legitimate technical or documented business constraints; and
- has sufficiently mitigated the risk associated with the original requirement(s) by implementing compensating controls.
ISRMT evaluates variance requests against internally developed controls, controls specified by the National Institute of Standards and Technology (NIST) and other security best practices.
The Information Security Risk Management Team will work with users to identify reasonable recommendations aligned with our current acceptable business practices, industry best practices or vendor guidance (where appropriate).
How to Submit a Cybersecurity Variance Request
Request a Variance via the Digital Service Hub
- Go to the Digital Service Hub website
- Select Make a Request
- Select ISPO Cybersecurity Variance Request
- Fill out the form
- Once complete, click Order Now.
Support
If further assistance is required, contact the Service Desk to open a ticket with the ispo variance requests - phs group.