This policy applies to all published Nested Knowledge information security policies. Employees and contractors must abide by this exception process.

An exception to an information security policy may be granted in the following cases:

• a more secure solution exists

To request an exceptions:

Email or slack the information security team to request an exception. You request must contain the following information:

• Your name
• The implicated policy.
• The device or application affected by the request.
• Data classification category of the associated systems.
• The rationale for non-compliance with the policy.
• Duration of non-compliance expected.
• Assessment of risks.
• Controls in place to mitigate risks.

Example:

* Steve would like to share Carl's Planet Pizza Account to order Pies for after-hour work events. This violates our access control policy, which Steve is well-acquainted with, as he pays close attention during annual trainings. Steve's request might look like the following:

• Request: I would like shared access to Karl's Planet Pizza online Accounts.
• Policy: Attaching the access control policy : https://wiki.nested-knowledge.com/doku.php?id=wiki:policies:access
• Application; this affects our account on the Planet Pizza web application.
• Rationale: Planet Pizza only permits one account per each business credit card.
• Duration: Four - Six months.
• Risk: Passwords shared online may be intercepted, compromising our account and credit card information.
• Mitigation:

—-

* For example, attach the Access Control Policy if you are requesting to share an account to a software platform with another employee.