For all the importance of strong policies and procedures, another truth is this: that in day-to-day operations, your organization will very likely run into situations that violate them.
A risk exception occurs when a particular policy, standard, security program requirement, or security best practice cannot be fully implemented.
For example, your organization might make an exception so it can do business with a third-party vendor even if that vendor isn’t fully compliant with laws, policies, or regulations. Granting this exception, however, might come with consequences, and could put your organization at risk.
Risk exception vs. security exception and risk acceptance
A security exception is a type of risk exception that specifically pertains to information security and cybersecurity.
Security exceptions are made when a condition does not align with formal security expectations as defined by policy, standard, and/or procedure — a missing patch, for example.
At its heart, a security exception is a question of compliance, which may or may not represent an excessive level of risk.
Risk acceptance, on the other hand, is a formal and documented decision by a stakeholder to not remediate a level of risk that exceeds your organization’s risk appetite or risk tolerance.
While you may think that the two go hand in hand, a risk acceptance isn’t always the result of a security exception. For example, the missing patch may not represent much risk, or the risk associated with applying the patch might outweigh the risk associated with not applying it.
Or perhaps your organization’s security policy doesn’t prohibit using customer data in development and test environments, but a risk analysis shows that permitting large amounts of data represents a significant amount of risk. In this case, a security exception is not required, but a risk acceptance may be.
Risk acceptance is a part of risk mitigation, and is one potential option to determine the appropriate risk response or treatment. Other treatments include risk avoidance, risk transfer, or risk reduction.
Risk exception management
Avoiding risk altogether is almost impossible, so it’s best to put systems in place to manage it.
Your organization’s overall risk management program should aim to minimize the impact of risks before they materialize and become threats, incidents, or events. The steps of risk management include risk assessment, risk analysis, risk evaluation and prioritization, risk treatment and mitigation, and risk monitoring and review.
Similarly, vulnerability management programs identify, classify, prioritize, and mitigate cybersecurity vulnerabilities most often found in software and networks. Vulnerabilities in systems usually include open ports, poorly written code, unpatched applications, and dependencies on insecure libraries.
Making risk exceptions, however, might complicate both your risk management and vulnerability management programs, by exposing your organization to risk that is otherwise avoidable.
If you do decide to make a risk exception, you’ll need to implement a risk exception management program as part of your risk management program. This is to determine the potential impact and likelihood that the resulting risk could be exploited.
A risk exception management program will help your organization identify and evaluate any risk exceptions on a consistent basis. It will also recognize the areas where you aren’t compliant, and determine whether you’re at risk for malicious activity or fines and penalties due to non-compliance.
Non-compliance can cause a number of headaches to your organization, including legal penalties, fines, business loss, and reputational loss.
If your organization makes a risk exception that results in non-compliance, it’s important that your risk exception management program also includes methods for managing policy exceptions.
A policy exception is a method for maintaining a policy but allowing an individual or entity to circumvent one or more restrictions.
For example, your organization may have a certain information security policy in place that a vendor is unable to meet. It’s up to your organization to decide whether the risk of making that exception is greater than the loss that may occur if you refuse to do business with that particular vendor.
If another business or vendor fails to fulfill your organization’s policies, it should submit a policy exception request form. In turn, your chief information security officer (CISO) can approve or deny the policy exception request based on the risk it poses to your organization.
Here are some strategies for granting policy exception requests within your risk exception management program:
- Attach conditions to the policy exception request. Your organization signs up for additional risk whenever it grants a policy exception request. For this reason, it is important to attach conditions to the request. For example, you might limit the amount of time the exception is valid or add disclosure requirements to the vendor contract.
You’re essentially communicating to whoever is submitting the policy exception request form that you understand the business imperative behind the exception request, but that you also have a responsibility to protect your organization. Most third parties will accept any conditions that may come with a contract.
- Monitor exceptions to manage risk. Each risk exception you make will add additional risk to your organization. Therefore, you should avoid treating your risk exceptions as a set. Instead, treat each exception as a special case requiring attention.
In addition, ongoing monitoring services as well as periodic assessments should be a regular part of your risk exception management program.
- Regularly review and update company policies. Reviewing your policy exception requests might uncover the need to update or write a new policy. For instance, a concentration of exception requests associated with a specific policy is a sure indicator that the policy should be reviewed.
While keeping your policies current won’t eliminate exception requests altogether, it will help you reduce the number significantly. You should review policies annually, making sure that they are defined, updated, and articulated so that they provide clarity to users, help manage risk, and protect your organization.
Risk Exception and GRC
For some organizations, managing policy exceptions is a simple matter that can be handled manually on a case-by-case basis. Most of the time, the risk exception process is more complex and demanding.
A governance, risk, and compliance (GRC) platform can help your organization process exceptions through multiple approval workflows, provide risk scoring, and present data to give a holistic view of risks associated with exceptions.
ZenGRC from Reciprocity is a compliance, risk, and workflow management software that offers an intuitive, easy-to-understand platform that not only keeps track of your workflow, but also lets you find areas of high risk before those risks manifest as real threats.
It also provides users with a flexible platform that fits unique program requirements, including a connector for the leading digital workflow company, ServiceNow. With the ServiceNow connector, ZenGRC allows your organization to maximize efficiency, streamline processes, and use a single source for all metrics reporting and insights.
Pre-loaded with content and templates, and with white-glove onboarding from our team of industry experts, ZenGRC provides exceptional value, including the best-in-class time to value and total cost of ownership.
ZenGRC’s platform will simplify the way your organization manages information security risk and compliance, and encourage transparency and trusted relationships with key stakeholders.
Find out why the world’s leading companies trust ZenGRC and schedule a demo today to learn how to manage risk the Zen way.