Policy Exception

WHAT IS A POLICY EXCEPTIOIN AND WHY ARE EXCEPTIONS IMPORTANT?

A Policy Exception uses to a formal process that documents and tracks approval of non-compliance with established cybersecurity policies which cannot be promptly remediated.

The Exception Management Program ensures that these exceptions are adequately reviewed, approved and monitored, providing a structured approach for handling situations where immediate compliance or remediation is not feasible.

CONTROLS THIS DASHBOARD REPORTS ON

This dashboard reports on your organization’s level of compliance with these controls:

NIST CSF v2.0: Subcategory ID.RA-07, Changes and exceptions are managed, assessed for risk impact, recorded, and tracked

CIS CSC v8.1: Include several safeguards that require security exceptions. Safeguards 2.2 Ensure Authorized Software is Currently Supported and 2.3 Address Unauthorized Software both require documented exceptions for software that is not compliant.

PRIMARY KEY PERFORMANCE INDICATOR (KPI)

The dashboard reports on this Primary KPI:

Numerator: Policy Exceptions that are either approved but not yet due, or recently Closed

Denominator: All Approved or recently Closed exceptions

COLUMNS DISPLAYED ON THE DETAIL DASHBOARD

• Compliance Status
• Policy Exception ID, Policy Exception Description - Exception information
• Valid From, Valid To - Approved time span for the exception
• Closed Date
• Risk Rating - Risk rating assigned to the exception
• Exception Phase - Phase in the exception's lifetime
• Owner Name, Owner EMP ID, Owner Email, Owner Job Title - contact information for the person who owns the exception
• Executive VP, Senior VP, VP / Executive Director - Management chain for the Employee
• Level 5, Level 6 - Additional levels of management for the Employee

OCSF TABLES USED BY THE DASHBOARD

• Ticket Inventory [99405001]
• User Inventory Info [5003]