This policy applies to all published Nested Knowledge information security policies. Employees and contractors must abide by this exception process.

An exception to an information security policy may be granted in the following cases:

• The implicated system does not have the capacity to comply with the relevant security standard.
• Immediate compliance would disrupt critical business
• A more secure or superior solution exists
• Compliance would adversely affect business operations
• A lawsuit or investigation requires exception to the relevant security policy.
• Compliance would cause a major adverse financial loss
• An emergency situation requires violation of the relevant security policy.

To request an exceptions:

Email or slack the information security team to request an exception. You request must contain the following information:

• Your name
• The implicated policy.
• The device or application affected by the request.
• Data classification category of the associated systems.
• The rationale for non-compliance with the policy.
• Duration of non-compliance expected.
• Assessment of risks.
• Controls in place to mitigate risks.

Steve would like to share Carl's Planet Pizza Account to order Pies for after-hour work events. This violates our access control policy, which Steve is well-acquainted with, as he pays close attention during annual trainings. Steve's request might look like the following:

• Request: I would like shared access to Karl's Planet Pizza online Accounts.
• Policy: Attaching the access control policy : https://wiki.nested-knowledge.com/doku.php?id=wiki:policies:access
• Application; Our account on the Planet Pizza web application, accessible at the website: www.planetpizza.org.
• Rationale: Planet Pizza only permits one account per each business credit card.
• Duration: Four - Six months.
• Risk: Passwords shared online may be intercepted, compromising our account and credit card information.
• Mitigation: To limit risk, credentials will be shared face-to-face verbally.