The information resource owner or designee (e.g., custodian, user) is responsible for ensuring that the protection measures in the Security Control Catalog are implemented. Based on risk management considerations and business functions, the resource owner may request to exclude certain protection measures provided in a Control. All exclusions must be in accordance with the procedures highlighted in the Information Security Controls Exclusion Process.
Please email email@example.com to obtain the exclusion request form. Once submitted and processed by the office of the CISO, an opinion for approval or denial will be submitted back to the requestor.