Information Technology Services

Limited Exemption from Acceptable Use of Computing and Electronic Resources Policy

The University of North Carolina at Greensboro

Policy Reference: Acceptable Use of Computing and Electronic Resources
Approved: November 30, 2006
Document Maintainer: Security Officer, ITS - Technology Planning

Purpose

This procedure addresses the following section of the related policy:

Section III.C

"Employees may be exempted from 'unacceptable use' restrictions during the course of their legitimate job responsibilities (e.g., ITS Systems and Networks administration staff may need to disable the network access of a host, if that host is disrupting production services)."

This procedure defines how limited policy exemptions are granted.

Scope

This procedure covers all individuals who may be exempted from "unacceptable use" restrictions whether exemption is needed for general duties or for specific instances during the course of their legitimate job responsibilities.

Responsible Parties

• Faculty and Staff
• ITS Employees

Procedure

The following guidelines must be followed to ensure only approved individuals are exempt from aspects of the acceptable use policy while fulfilling networking and security related job responsibilities. There must be an explicit purpose that directly correlates the job function of an individual to qualify for exemption. Examples might include denying network access to a computer that is disrupting production network services or scanning other computers for vulnerabilities.

General Exemption

Any ITS employees whose job description requires them to be exempt from this policy are not required to follow the normal exemption procedure.

Request

• Requests for limited policy exemption must be submitted to the Service Desk via 6-TECH.
• Each request should be an explicit review of what the individual needs and why. The request should at least cover the following questions:
  • Why is this necessary to your work?
  • How frequent is the need?
  • Is this an industry best practice for your work?
  • Which communities (machines, buildings, etc.) will be directly impacted?
  • What information will be made available by granting this exemption and to whom?
  • Are other options available? (Could the service be performed by someone else?)
  • What happens if the exemption is not granted?

Review

• All requests will be reviewed by ITS.
• The review process will consider the following types of concerns:
  • What other known and immediate risks are posed to UNCG?
  • Is the known risk too high?
  • How does this exception compare to best practices?
  • Is meeting the request in UNCG's best interests?
• Standard categories and procedures for exemption may be created.

Written response

ITS will respond with written notification to the requestor. A list of ITS and non-ITS employees with limited policy exemption status will be maintained within ITS.