Site Menu
Recent News
The Compensating Controls & Exceptions Form is up
Here are the Compensating Controls & Exception process submision forms for the UCSS.
GeoTrust SSL Certificate Purchasing Explained
Instructions on how to order SSL Certificates through GeoTrust can be found on this page
Security Boot Camp outline up for comment
The CIO Security Group is developing an "Information Security Boot Camp" program that will be taught later this year. Comment on the proposed outline is encouraged during development. Check out the basic outline here
Check the Blackhole List
To see the current Blackhole listing click here
Report an Incident
To report a security breach or other security incident send an email to Security@osu.edu
University Computer Security Standards(UCSS) Exception Request FAQ
What is an exception?
Why fill out the Exception Request Form
What Information is Important in Requesting an Exception?
Do I need to submit an Exception Request for each part of each standard for a single device or device type?
Do I need to submit Compensating Control Requests and Exception Requests for a device or device type separately?
Must I include a serial number in my request? What about multiple serial numbers for a class of devices?
Is There An Example of the Sort of Request You are Expecting University Units to Submit?
Return to the Exception Request page
Return to the Compensating Control Request Page
Return to the Compensating Controls FAQ page
Return to the University Computer Security Standards (UCSS) page
What is an Exception?
An exception (in regards to the University Computer Security Standards) is a request to allow a device or class of devices to bypass enforcement of a standards or element of the University Computer Security Standard. Exceptions are granted when a device can not be brought into compliance either directly or through the use of a compensating control, external process or removal of the device from service.
Why fill out the Exception Request Form
The web form contains the questions that the CIO Security group uses to evaluate a request for an exception to the various University Computer Security Standards or their enclosed elements. In order to expedite the process of approval staff is encouraged to read through the below suggestions to help relay the most important information in their submission.
What Information is Important in Requesting an Exception?
The key information a unit should provide when submitting a request for a compensating control are those facts or procedures that prevent a device or class of devices from becoming compliant. If for example a device cannot host a firewall or be protected through an external device or process, then documenting how the unit intends to protect it from the threats a firewall covers is paramount to the request. Citing locally defined time frames and procedures will hasten the evaluation and approval process. Quantitative information goes a long way in helping the CIO Security Group determine if the threats have been properly identified and addressed by the requesting unit.
Important details when requesting a Compensating Control:
Do I need to submit an Exception Request for each part of each standard for a single device or device type?
Exception requests for a single device or device type can be grouped by standard. For instance if a device requires an exception for multiple elements of the MCSS you may put them together into a single request - noting of course which parts of the standard the request applies to.
The example below shows two elements of the MCSS being requested in a single Exception Request.
Do I need to submit Compensating Control Requests and Exception Requests for a device or device type separately?
Compensating Control Requests and Exception requests should be submitted separately for each standard. The reason for this is that the consideration process for the two are different and the risk in allowing and approving exceptions is often greater. Exceptions are also an admission that a solution can not be implemented or does not exist for a standard element and implies greater risk.
As with multiple Compensating Control Requests for a device or device type, Exception requests can be grouped by standard to include multiple elements in a single request. i.e. I need a compensating request for the MCSS Firewall and Authorizations elements and an Exception for the Patching and Anti-Malware elements so I submit two requests - a single Compensating Control Request containing both elements and their solutions, and a single Exception request containing both elements and the justification/description of risk.
Must I include a serial number in my request? What about multiple serial numbers for a class of devices?
The serial number field is primarily included in the form for use by local units who wish to track the devices that have granted a Compensating Control. It is not used in considering the approval of the request. Multiple device serial numbers can be listed by it is not required when submitting a request for a class of devices.
Is There An Example of the Sort of Request You are Expecting University Units to Submit?
The details required by the CIO Security Group to make a determination will vary by case but here is an example of a well documented and written compensating control request to give you a basis of what sorts of details are needed to quickly approve the request (The below example is not a real example but is provided for illustrative purposes.):
Your Name: Brian Moeller
Your e-mail address: moe@net.ohio-state.edu
If phone contact is preferred, the phone number where you can be reached: 77136
University Department/College?: CIO Security
Standard(MCSS,WSSS,DSSS,CCSS) and Element(when applicable) related to the exception request: MCSS - OS Update, Anti-malware
Type of device involved in Compensating Control Request: Buffalo 890 Network Storage Device
Device Manufacturer: Buffalo Networks
Device Serial Number: 200710001
Define the scope of the requested exception (e.g., singles workstation, departmental lab, entire unit): The CIO Security group uses the Buffalo NAS to store forensic data used in security investigations. This is a stand alone Network device that runs a proprietary form of Linux and is available to users connected to the .49 IP range used by Network Security. The device does not support a host based firewall nor does it support anti-malware natively. Additionally the NAS is not configurable like a normal Linux so manufacturer patches are the only update and are not issued on a regular interval. The administration functions are password protected. The device is accessed through NFS and does allow anonymous access. Exception requests are forthcoming for the OS Update and Anti-malware requirements of the MCSS for this device.
What precludes compliance with the MCSS element either as initially specified or via a compensating control?: The version of Linux that manages and runs the NAS is customized and not a part of a standard Linux distribution. There is no native anti-malware solution that can be implemented to protect the data stored on the NAS device. Additionally as this device is a storage location for Forensic images of compromised machines the malware in them should not be "cleaned" or it will work against the NAS's function as a Forensic repository.
Description of how the proposed exception increases the risk of your security if granted?: Since the OS cannot be patched with off-the-shelf updates to account for critical security flaws proactive monitoring and log/accounting practices will need to be put in place to watch the device for unusual activities. Files stored on the device could contain malware which may be required or necessary during a forensic investigation by the CIO Security Group. Any systems that connect to the device with file access will be protected by anti-malware under the MCSS so the risk of exposure/exploitation is mitigated to some extent.
