This procedure applies to all published Information Security procedures except those included in the components of the University of Rochester Medical Center and Affiliates HIPAA Covered Entity.


Some of the circumstances for which a deferral from a procedure may be approved include:

  • Implementation of a solution with equivalent or superior protection.
  • Impending retirement of a legacy system.
  • Cost of adherence is significantly out of proportion to the risk of non-adherence.
  • Adherence would disrupt critical operations and/or adversely impact university business.

Deferrals will be as narrowly defined as possible and granted for a specific period of time. Deferrals are reviewed on a case-by-case basis and their approval is not automatic. Deferrals may be reviewed and revoked at a later time where circumstances warrant.


The Deferral Request Form must be filled out and then submitted to the Chief Information Security Officer (CISO). The Chief Information Security Officer reviews deferral and submits to the Dean or Vice President (VP) of the appropriate division and advises of the risk associated with the request. The Dean/Vice President then approves or denies the request and returns the deferral back to the Chief Information Security Officer. The Deferral is reviewed upon its expiration, detailed in the request form, or as circumstances require. At any point in the process the Chief Information Security Officer or Dean/Vice President may request more information about the request.

Deferral Request Procedure

The Deferral Request must include:

  • Description of the requested deferral and the reason for the request
  • Anticipated length of the deferral
  • Assessment of risk associated with the deferral
  • Proposed plan for managing the risk associated with the deferral
  • Proposed metrics for evaluating the success of risk management (if risk is significant)
  • Proposed review data to evaluate effectiveness and continued appropriateness of the deferral.

Related Policies