Article 70 – Security Variance Policy
49270.4 Policy Directives
-
The department’s Information Security Officer (ISOInformation Security Officer) shall ensure security variances are documented, reviewed, approved, and implemented. Approval of security variances shall include risk ownership and acceptance.
-
Prior to submitting a security variance request, the department ISOInformation Security Officer shall facilitate risk assessments to consider relevant implications and potential security risks introduced as a consequence of the security variance.
-
The risk assessment shall involve, at minimum, the respective department business unit requesting the variance and the department ISOInformation Security Officer.
-
The assessment shall include the evaluation and recommendation of additional compensating controls and safeguards to mitigate the security risks identified where applicable.
-
The term of an approved security variance must not exceed twelve (12) months.
-
All approved security variances shall be documented and tracked in a risk management system.
-
The department ISOInformation Security Officer shall continuously monitor the risks associated with the security variance throughout the term permitted.
-
Approved security variances shall be reviewed annually by the department ISOInformation Security Officer, at which time a recommendation shall be made to the Department Chief Information Officer (CIO) or designee to extend or expire the security variance.