SM-11-007.02 EXEMPTION FROM STATE POLICIES AND STANDARDS
Issue Date: 7/15/2011
Revision Effective Date: 12/15/2014
An Agency may request exemption from implementation of any enterprise information technology policy or standard. This standard applies to all enterprise policies and standards issued by GTA, including all topics in areas of Information Security, IT Management, Service Delivery and Support, and Application Development. Exemptions from “Guidelines” are not required as agency compliance with guidelines is not mandatory.
SCOPE AND AUTHORITY
Information Technology Policies, Standards and Guidelines PM-04-001
Enterprise Information Security Charter PS-08-005
The following shall guide requests for exemptions from enterprise policies and standards:
1. An agency may request exemption from any policy or standard at any time by completing the “PSG Exemption Request” form and submitting it to GTA by email to: [email protected]. The “PSG Exemption Request” form shall identify the individual submitting the request on behalf of the agency.
2. GTA shall maintain a current template for the “PSG Exemption Request” form on its public facing web-site. A “PSG Exemption Request” form submitted by an agency shall include any specific information required to evaluate various types or categories of PSGs.
3. A final decision to approve or deny the agency’s PSG Exemption Request shall be made by the State CIO who may also specify one or more conditions to be addressed by the agency. The State CIO shall transmit the decision in writing a senior executive of the requesting agency and to the person who submitted the PSG Exemption Request. The State CIO shall assign an approved waiver to one of the following categories:
a. "Regulatory". This category generally would be warranted by a statutory or regulatory condition affecting an agency.
b. "Term Limited", such as a one-year, two-year or three- year term prior to expiration, and
C. "Indefinite" with no stated time limitation prior to expiration. This category may be assigned to a waiver on approval, but also may be applied to a previously approved term limited waiver for cloud applications with LOW security characterization for which the agency has complied with all specified conditions of the waiver and otherwise adhered to all of the terms and conditions of this standard. This category is intended to be valid for the life of an application.
4. The State CIO may revoke an awarded waiver or change the category of a waiver at any time, providing notice to a senior executive of the requesting agency.
5. An approved waiver will require re-evaluation when an agency experiences fundamental changes to circumstances that justified the waiver, such as, but not limited to the following:
a. Changes to the business case justifications stated in the Request for Exemption,
b. Changes to the security characterization of the data/system,
c. Events which significantly increase the security risk or are indicative of a compromised security environment of a third- party hosted solution,
d. Conditions stated in enterprise standard SM-15-009 "Enterprise Managed Services" which require the agency to submit a Request for Exemption, or
e. Changes to the agency's statutory or regulatory environment which affects its "Regulatory" waiver status.
6. If an agency anticipates bringing a third party hosted application into the enterprise or the agency fails to otherwise comply with conditions specified by the State CIO for a waiver or fails to comply with the terms and conditions of this standard, the agency shall begin an active program to migrate the application as suggested in the "Calendar of Activities to Migrate a Business Application / System to the NADC upon Expiration of a Term of Exemption from the EMS". GTA shall maintain a current copy of this Calendar on its public facing web-site.