Policy Exceptions

  • Published on Mar 26, 2026
  • 2 minute(s) read
Prev Next

WHAT ARE POLICY EXCEPTIONS AND WHY ARE THEY IMPORTANT?

About This Control

Summary: Policy Exceptions are used to document policy non-compliance issues and vulnerabilities that cannot be remediated. Policy Exceptions require management approval and are only valid for a set amount of time after which they are expected to be resolved and closed, or else resubmitted to be approved for an extension.

Purpose: The Policy Exception dashboard reports on open exception records, the risk level of exceptions, and exceptions that are past due or approaching their due date.

Implementation Guidance: Users are able to configure the risk rating they use if they differ from the dashboard’s defaults.

Why It Matters

  • Without a policy exception process, exceptions can go undocumented or without appropriate approval, creating blind spots in security posture.

  • The policy exception process provides a structure for evaluating the risk of each exception.

  • The process ensures exceptions are temporary, with expiration dates.

  • Many regulations (e.g., HIPAA, and PCI-DSS) require documentation and justification for deviations from standard security policies.

Risks Addressed

  • Untracked and unapproved exceptions allow teams to bypass security controls leading to undocumented vulnerabilities.

  • Unmanaged exceptions increase the attack surface leading to gaps in the organization’s defenses.

  • Without a standardized process, exceptions may be granted arbitrarily, leading to risky decisions unaligned with the organization's risk tolerance.

  • Temporary workarounds can become permanent if not tracked and become long-term security exposures.

CONTROLS THIS DASHBOARD REPORTS ON

  • NIST CSF v2.0: Subcategory ID.RA-07, Changes and exceptions are managed, assessed for risk impact, recorded, and tracked

  • PCI-DSS v4.0: Does not have a requirement specifically to cover security policy exceptions but does include Requirements that could benefit from an established process to manage exceptions. For example, 8.2.2, Group, shared, or generic accounts, or other shared authentication credentials are only used when necessary on an exception basis…

  • CIS CSC v8.1: The CSCs include several safeguards that require security exceptions. Safeguards 2.2 Ensure Authorized Software is Currently Supported and 2.3 Address Unauthorized Software both require documented exceptions for software that is not compliant.

  • DORA: Regulatory Technical Standard (RTS) Simplified ICT Risk Management Framework, Article 2, General elements of ICT security policies

PRIMARY KEY PERFORMANCE INDICATOR (KPI)

The dashboard reports on this Primary KPI:

  • Numerator: Open policy exceptions that have not exceeded their due date.

  • Denominator: All policy exceptions that were initially approved and have not yet been closed.

COLUMNS DISPLAYED ON THE DETAIL DASHBOARD

  • Leading: Compliance Status, Policy Exception Id, Policy Exception Description, Risk Rating

  • Exception Details: Valid From, Valid To, Exception State, Requester Name, Requester Email Address, Requester Unique Id

  • Org Hierarchy: Owner Databee Id, Owner Email Address, Owner Employee UID, Owner Full Name, Owner Job Title, Owner Name, Manager Databee Id, Manager Email Address, Manager Full Name, Level 2, Level 3, Level 4, Level 5, Level 6

OCSF TABLES USED BY THE DASHBOARD

  • OCSF.Ticket_inventory

  • User Entity which in turn uses CDP.User and CDP.Org_Hierarchy

  • CDP.Org_hierarchy

Copyright © 2026 DataBee®, A Comcast Company.
DataBee® is a registered trademark of Comcast.