Centralized Server Exemption Request
As directed by the Executive Committee and implemented in HOP 5.8.14, Server Security, all devices performing server functions are to be stored and managed in one of the approved data centers to ensure the physical and logical security necessary to protect the equipment and the data it stores, processes, and transmits. Exceptions to this policy must be submitted through the Chief Information Security Officer, with final approval by the Vice President and Chief Information Officer.
The following form must be completed in its entirety, signed, and forwarded to the Information Security Office.
1) Individual identifier for the device:Device Name:
Inventory Number:
MAC address:
Serial Number:
Desktop [ ] / Laptop [ ]
2) The owning department and/or location of the device:
Department name:
DeptID:
Building and room number:
3) How is the server currently being used?
4) Describe the department’s backup strategy for this server. Include in the description the process used, media used, on-site and off-site storage locations, etc.
5) Describe the department’s power management strategy for this server. Include in the description filtering, backup power/uninterruptible power supplies/generators, power sources, etc.
6) Describe the department’s physical security strategy for this server. Include in the description locks, access control, video monitoring, etc.
7) Describe the department’s environmental strategy for this server. Include in the description HVAC, moisture monitoring, backup cooling, etc.
8) Explain why the server cannot be maintained in one of the approved data centers.
9) List all compensating controls in place or proposed to mitigate risks associated with maintaining the server outside an approved data center.
10) Please attach or include any supplemental documentation that may exist in support of the request, such as vendor literature or analysis and recommendations from faculty or colleagues.
Acknowledgement
I understand establishing a server outside of an approved data center puts the server, its data, the department, and the University at risk of data disclosure and/or compromise. I also understand operating the server outside the centralized environment may not meet the security requirements of the Health Insurance Portability and Accountability Act (HIPAA), as well as other State and Federal requirements for protecting the confidentiality, integrity, and availability of data.
Requestor’s Printed Name
Requestor’s Signature
Date:
Dean/Director/Chair Printed Name
Dean/Director/Chair Signature
Date: / Recommend approval? Yes [ ] No [ ]
*** Additional signature requirements continue on the next page. ***
Chief Information Security Officer’s Printed Name
Chief Information Security Officer’s Signature
Date: / Approved? Yes [ ] No [ ]
If approved, this exemption will expire on the date below. For continued use, another exemption must be completed and approved on or before the expiration date.
Expiration Date:
Page 2 of 4