9-2 Information Technology Use and Security Policy Manual - Appendix C: Security Policy/Standard Waiver
Approved by: Board of Supervisors of the County of Sonoma (“County”), and the Boards of Directors of the Northern Sonoma County Air Pollution Control District, the Russian River County Sanitation District, Sonoma Valley County Sanitation District, Occidental County Sanitation District, South Park County Sanitation District, and the Board of Directors of the Sonoma County Agricultural Preservation and Open Space District (collectively referred to hereinafter as “Special Districts”), and the Sonoma County Water Agency (“Agency”), and the Board of Commissioners of the Sonoma County Community Development Commission (“Commission”). The County, Special Districts, Agency and Commission are collectively referred to herein as “Local Agencies” or singularly as “Local Agency.”
Read next: Glossary
Text of Waiver
Local Agency Name: [name]
Phone Number: [phone number]
County Policy/Standard: [standard to be waived]
[Identify the scope of the exception being requested (i.e., for all systems/Users? One system/group of Users?):]
Justification for Exception:
[Explain why compliance with this policy/standard is not possible due to technical limitations, conflict with business requirements, or other circumstances:]
[Explain the potential impact or risk attendant upon granting the exception:]
[In the absence of the controls specified by this policy/standard, what compensating controls will be implemented?]
Approval and Conditions:
I, hereby, acknowledge that I have reviewed the aforementioned request for a policy/standard waiver and certify that the compensating controls necessary to justify the policy/standard waiver are adequate.
County Chief Information Security Officer or approved designee
Local Agency Department Head, General Manager or approved designee
Upon approval, scan and e-mail to firstname.lastname@example.org. The approver shall retain the original.
Please note: This waiver and it’s applicability must be reviewed at least annually by the requesting Local Agency. Waivers must be renewed every three years or when significant changes which affect the system categorization (e.g., Confidential, Restricted or Public), justification for noncompliance, and/or compensating controls are made.
In most cases the Information Systems Director who serves as the Chief Information Security Officer will be the appropriate approver, unless otherwise noted in the individual policy or standard for which the waiver is submitted.
Download Security Policy/Standard Waiver
(PDF: 60 kb)