1-10 Policy Exception and Review

1-10.1 Granting an Exception to the Policies

Any exception to the policies in this handbook must be based on a completed risk assessment and documented in a risk acceptance letter approved by the vice president, Information Technology, and the vice president of the function business area. (Risk acceptance is defined in 4-6, Risk-Based Information Security Framework, of this handbook). If the exception impacts sensitive or sensitive-enhanced information, the Chief Privacy Officer (CPO) must also approve the exception. (Information categories and levels are defined in 3-2, Information Designation and Categorization, of this handbook).