Policy Exception

WHAT IS POLICY EXCEPTION?

A Policy Exception refers to a formal process that manages and documents instances where cybersecurity vulnerabilities or non-compliance with established policies cannot be promptly remediated. The Exception Management Program ensures that these exceptions are adequately approved and monitored, providing a structured approach for handling situations where immediate compliance or remediation is not feasible.

Examples of vulnerabilities and non-compliance issues that may require an exception include:

• Vulnerabilities in application code or inherent design flaws
• Weaknesses identified during threat modeling workshops
• Insecure system architectures
• Gaps identified in Third-Party Security Assessments (TPSA)
• Vulnerabilities discovered through scanning and detection tools
• Data Loss Prevention (DLP) incidents involving unauthorized data blocking
• Other instances of identified vulnerabilities or non-compliance with established cybersecurity policies

OBJECTIVE

The objective of this process is to ensure that cybersecurity vulnerabilities or policy non-compliance issues, which cannot be addressed within the prescribed remediation timeframes or expectations set by assessors, are properly documented, approved, and managed. This ensures that risks associated with these exceptions are mitigated as much as possible until full remediation can be achieved.

DATA SOURCES

• ServiceNow Policy Exception
• Troux
• HRDS
• SAP Success Factors
• Ping One