Requesting Variances

Information Security Standard M1

1. Introduction

  • 1.1 In order to protect University information assets, the Chief Information Officer has issued binding Information Security Standards. Academic and administrative units that wish to deviate from these Information Security Standards are required to request a variance from the CIO.
  • 1.2 This standard establishes the procedure for Administrative Heads of Unit to request such a variance.
  • 1.3 The Chief Information Officer has issued this standard under the authority of Policy SC14, Acceptable Use and Security of UBC Electronic Information and Systems. Questions about this standard may be referred to information.security@ubc.ca.

2. Variance Request Procedure

  • 2.1 Initial Request - the Administrative Head of Unit must submit a Variance Request Form to information.security@ubc.ca, which includes the following information:
    • 2.1.1 contact information;
    • 2.1.2 description of the requested variance and expected duration;
    • 2.1.3 explanation of why the variance is warranted;
    • 2.1.4 analysis of risk associated with granting the variance and what controls will be in place to manage this risk; and
    • 2.1.5 analysis of cost and resource implications of granting the variance.
  • 2.2 When considering the request for a variance, the CIO may seek the input of the Information Security Governance Committee (which is the Advisory Committee defined in Policy SC14) if they consider this appropriate.
  • 2.3 The CIO may authorize a variance from the Information Security Standards in any of the following circumstances:
    • 2.3.1 the Administrative Head of Unit is temporarily unable to meet the compliance standard;
    • 2.3.2 compliance is not achievable for technical or financial reasons;
    • 2.3.3 an alternate method of compliance is available that offers equivalent or better security; or
    • 2.3.4 the variance is otherwise reasonable and is consistent with the Information Security Standards.
  • 2.4 If the CIO approves a deviation, they will set out the terms of the variance, including any applicable mitigation requirements or other conditions.
  • 2.5 If the CIO denies the requested deviation, they will provide an explanation and, if possible, a suggestion of alternatives.

3. Resolution of Disagreements

  • 3.1 If a disagreement arises and cannot be resolved in a timely manner between the CIO and the Administrative Head of Unit with respect to the requested deviation, then either party may refer the disagreement to the Responsible Executive specified under Policy SC14, who will decide the matter. This Responsible Executive may consult with the Information Security Governance Committee and/or the other Responsible Executive if they determine it would be appropriate to do so.
  • 3.2 The Responsible Executive's decision is final.

Related Documents and Resources

Policy SC14, Acceptable Use and Security of UBC Electronic Information and Systems

Variance Request Form

Standard Last Revised: 2025-03

Page last updated on January 20, 2026

Office of the CIO

6356 Agricultural Road
Vancouver, BC Canada
V6T 1Z2
604 822 3634
E-mail ubc.cio@ubc.ca

Related Sites

Need Help?

Urgent Message An exclamation mark in a speech bubble. Bluesky The logo for the Bluesky social media service. Bookmark A bookmark in a book. Browser A web browser window. Caret An arrowhead indicating direction. Arrow An arrow indicating direction. Arrow in Circle An arrow indicating direction. Arrow in Circle An arrow indicating direction. Time A clock. Chats Two speech clouds. E-commerce Cart A shopping cart. Facebook The logo for the Facebook social media service. Help A question mark in a circle. Home A house in silhouette. Information The letter 'i' in a circle. Instagram The logo for the Instagram social media service. Linkedin The logo for the LinkedIn social media service. Location Pin A map location pin. Locked A locked padlock. Mail An envelope. Menu Three horizontal lines indicating a menu. Minus A minus sign. Pencil A pencil indicating that this is editable. Telephone An antique telephone. Play A media play button. Plus A plus symbol indicating more or the ability to add. Print A printer pushing out a piece of paper. Search A magnifying glass. Settings A single gear. Arrow indicating share action A directional arrow. Speech Bubble A speech bubble. Star An outline of a star. Twitter / X The logo for the X (aka, Twitter) social media service. User A silhouette of a person. Vimeo The logo for the Vimeo video sharing service. Youtube The logo for the YouTube video sharing service.