Picture a company that\u2019s the envy of its peers from a compliance and risk perspective. This respected firm has robust staff in its internal audit, security, risk management, and related departments. It has a fully functioning GRC system and tracks control effectiveness globally under multiple compliance frameworks.<\/p>\n
When the company\u2019s employees attend conferences and events, they are flooded with questions about \u201chow they do it\u201d or what \u201cmature\u201d looks like in their environment. With all these things in place, the risk of a significant breach, security control failure, or risk event should be low.<\/strong> However, this program has one glaring hole which occurs at nearly every company. The security exception program lacks maturity and has spiraled out of control.<\/p>\n A security exception is when a policy, procedure or control is temporarily bypassed, using an exception process, for business reasons. It\u2019s an \u201cexception to the rule\u201d justified by the company\u2019s business mission, so to speak. All companies have a legitimate need to grant information security exceptions<\/a>. Never say never when it comes to information security, considering the unlimited ways technologies are used and how quickly they\u2019re evolving.<\/strong><\/p>\n Common security exceptions include:<\/p>\n Security exceptions are not explicitly addressed by any published security or control framework. This makes them easy to overlook and exclude from risk and control programs.<\/p>\n Creating security exceptions opens new risk vectors that are difficult to manage without a formal, repeatable and scalable process. It should not be taken lightly. The following are risks of creating security exceptions:<\/p>\n An effective way to identify improvements, efficiencies and automation opportunities<\/a> is to revisit stale processes. This is also true for security exceptions. Mapping the current process is a great start to reengineering a new one to meet the risk mitigation needs of an organization.<\/p>\n Security exception listings can quickly get out of control without a refined process. Hasty approvals, missing expiration dates, and lack of tracking compensating controls creates problems. A great place to start a process-refinement analysis is to ask questions to clarify the challenges of the current security exception environment.<\/p>\n Working through these preliminary questions will help identify exceptions with a defined business need. Most companies find they can modify or completely discard many of their current exceptions. This exercise can immensely reduce an organization\u2019s risk profile. While some manual investigation and stakeholder interaction may be involved, it will create future efficiencies.<\/p>\n After redesigning a new process, implementation is the next challenge. You need to consider many things during implementation. This includes stakeholders, roles, enterprise risk management, criteria, and service level agreements. These program pillars are critical to the success of the overall information security exception management process.\u00a0 You must apply them strategically and methodically for a successful implementation.<\/p>\n The key to success is having a security exception management process in place and consistently following it.<\/strong> Some components to consider include centralized exceptions, compensating controls, approvals, accountability, time limits, escalations, monitoring, renewals, and removals.<\/p>\n Mature information security exception programs are well-defined at the governance<\/a> level. They also involve regular input from subject matter experts. For example, someone who lacks proven firewall management experience should not decide on a requested exception to a firewall rule change.<\/strong><\/p>\n Conversely, there must be a governance process to support the enterprise risk criteria of the organization. So, just because the firewall subject matter expert approves the exception from a perimeter defense perspective doesn\u2019t mean it should be granted. The exception could increase the risk to the organization. The decision-making process should examine enterprise risk, suitable governance, subject matter expertise, and appropriate oversight.<\/p>\n It\u2019s essential to put valuable data into stakeholders\u2019 hands to manage the security exception process effectively. Proper reporting will help you avoid security violations and improve the process moving forward.<\/p>\n Ongoing reporting of exceptions should include the following items:<\/p>\n It is unlikely that patterns will become apparent if several different manual solutions are used to handle exceptions. This is a serious deficiency, as trend analysis may only identify root causes. Sometimes, you can reduce or eliminate exceptions by modifying the process in which they occur.<\/p>\n Many employees view dealing with exceptions as a \u201cnecessary evil.\u201d However, exceptions are an opportunity to provide a direct view into how well policies and standards are being followed. In some cases, they can also indicate whether overarching documents are a problem.<\/strong> Proper training and reporting on the process can prevent many pitfalls.<\/p>\n With the proper systems in place, managing exceptions moves from a manual to automated process, instantly delivering value. This happens by tracking exception requests and overlaying them with the underlying assignee or program data to identify trends.<\/p>\n Yet, you should approach automation cautiously. Before considering automation, you must examine the current process and map out the desired process<\/a>. Every business environment is different, so automation will make sense in some cases but not others.<\/strong> Adopt technological measures to prevent individuals from intentionally or unintentionally bypassing the new process.<\/p>\n Automated exception management provides an opportunity to make an unpleasant task more palatable and efficient. This can lead to a shorter time to resolution and help bend employees\u2019 perceptions in a positive direction. More importantly, automation provides management of the tools to get ahead of requirements and better evaluate underlying policies and standards.<\/p>\n Here’s a brief example of how automation can greatly improve a complex security exception process. A Fortune 500 organization found that 84 percent of nearly 750 exception requests submitted in a given year received approval. This high percentage indicates it was too easy to gain approval of an exception.<\/p>\n Meanwhile, the organization\u2019s security team spent roughly 40 minutes managing each exception. This created an additional $90K cost for approving exceptions \u2013 the equivalent of a full-time employee. Using a system to collect and track the data, the organization set up automatic approval thresholds and tweaked policies. They dramatically reduced the time spent managing exceptions while improving overall user experience.<\/p>\n The reasons for nonperformance of a policy, procedure or control may include business needs, technological limits, or staffing issues. Controls and procedures are established to make organizations more secure and ensure management\u2019s objectives are met. Creating exceptions to these rules opens a new risk vector that is difficult to control and should not be taken lightly.<\/strong><\/p>\n Nonetheless, exceptions to information security policies are inevitable. That\u2019s why your organization must be prepared by designing, documenting and implementing an effective information security exception management process. An effective program once rolled out or re-engineered, commonly shifts a culture.<\/p>\n Similar to change management, information security exception awareness requires a new set of supporting, repeatable processes. These new practices require top-to-bottom buy-in to prevent employees from bypassing the process. This is crucial for maintaining a secure environment. <\/a>Equally important? The documentation and supporting processes you need to comply with a wide range of requirements.<\/p>\n Bottom line: every business needs a comprehensive, consistent, regularly updated policy for determining when to make security exceptions. This includes guidance on when to remove them, and protocols and instructions that are easy for stakeholders to understand and implement.<\/p>\n \n What Are Security Exceptions?<\/h2>\n
\n
Risks of Creating Security Exceptions<\/h2>\n
\n
Maintain a Secure Environment by Reengineering the Process<\/h2>\n
1. Out With Old, in With New<\/h3>\n
2. Implementation<\/h3>\n
3. Risk, Oversight and Governance<\/h3>\n
4. Reporting and Training<\/h3>\n
\n
Automate Security Exceptions<\/h2>\n
Security Exceptions \u2013 The Ultimate Weakness<\/h2>\n