There may be times that business operations require certain exceptions be made to information security policies and procedures. This article provides some guidance and best practices on the exception management policy and how you can leverage it for your organization’s policy.
Management by Exception
Exceptions to any information security policies or procedures should be reviewed and approved by the senior management. Exceptions should be managed accordingly. In most cases, exceptions could be provided for the following:
- Legacy systems
- Third party applications
- Proprietary systems
- Physical security
- Emergencies
- Legal situations
Examples of exceptions
- A specialized application may be configured to require passwords that do not meet password policy requirements.
- A proprietary business system only allows for one administrator ID; however, multiple individuals support this system. Administrators must share this ID to manage the system.
- Some mobile device operating systems do not have the ability to meet the network device attachment requirements.
- A legacy system that does not meet the technical requirements.
- A lawsuit requires retaining information above and beyond the retention procedure.
- An emergency situation takes place that requires a workforce member to use the credentials of another workforce member to cover a time-critical business operation.
How exception is handled
During the course of conducting business, if there is a need for an exception to any information security policy and/or procedures, the request should be made by the related staff or team member. To maintain centralized control of exceptions, exceptions should be only granted through the Security Department. Other managers should not allowed to grant exceptions at their own discretion.
The exception request should include:
- Requestors name or approving manager
- Explanation of the request
- The policy or procedure the request pertains
- The reason for the request
- Mitigating controls in place to mitigate any risks to the exception
The security management should review the request and determine whether or not to grant the exception. If an exception is made, other mitigating controls should be implemented. These mitigating actions can be administrative, physical, technical, or any combination of these types of controls.
Those employees that have been granted an exception should be held accountable for following any other mitigating procedures implemented, and sanctions should be consistently applied for failure to follow these requirements.
Is there a time limit on security exceptions?
A time limit should be established for all exceptions. The time limit should be determined based upon the exception requested and any additional business impact along with associate risks involved. Exceptions are considered temporary and should be removed/canceled as the exception is no longer necessary.
Monitoring of exception
A determination should be made on how the exception should be monitored. This monitoring should be developed based on the exception made along with appropriate procedures for reviewing or auditing the exception.
An exception should be well documented. Documentation of an exception should include at least the following elements:
- Individuals or systems involved or scope of the exception
- Limitation of exception
- Mitigating controls required
- Dates/times
- Reasons for exception
- Approval
Final thoughts
At times, information security policies and procedures could directly affect business operations. For this reason, certain exceptions and steps may be taken to maintain the proper continuation of business operations.