A business wants to hire a vendor. However, this vendor does not meet policy standards and has requested an exception. The question you face is whether or not to approve or deny that exception request. What’s good for business sometimes comes with added risk. In fact, many incidents are the direct result of a policy violation. For risk management, and business needs, maybe the answer isn’t a simple yay or nay but a more nuanced approach. One allowing for exceptions, as well as helping address the risks.
A security organization can be a complex structure. Frameworks, processes, procedures, and policies are all laid out. However, in day to day operations, it is still very likely the organization will run into situations that violate existing policies and procedures. Risks are unavoidable. The key is to identifying exposure and that precisely where risk exception begins. Risk exception recognizes the areas where you are not compliant with regard to laws, policies or regulations. The resources are at risk for exposure to malicious activity and/or for penalties issued due to non-compliance.
Risk exception is best explained using an example
Let’s assume an organization has a policy in place to remediate all exposures within five months from the date of actual reporting. The organization recently conducted a security assessment from a third-party auditor who raised several security issues in with data at rest within the organization and their on-premises datacenter/servers are easily penetrable. The organization states they have a logical solution to this problem. However, in reality, it may not be feasible to fix this type of exposure in the five-month timeframe. Which is precisely where risk exception comes into play.
Implementing Risk Exceptions as a part of a Security Framework:
The organization should take it one step further and implement exception management as a part of their security framework where they can handle exceptions and have proper policies and procedures defined. This will assist the organization handle exceptions and also provide assurance to senior management. This way, the organization will see security framework as business enablement rather than considering it as a procedural hindrance. In order to implement this for the Compliance and Risk Management team we will need to consider the following:
- Identify Key Stakeholders: Your organization will need to identify people who will be involved in managing exceptions. Normally the approving official owns the exceptions and someone from the Security Team will finalize and approve the exception. The number of stakeholders will differ from organization to organization, based on their risk management process and the way it is designed.
- Implementing Roles and Responsibilities: Once your organization has identified stakeholders, they need to create a roles and responsibilities chart that will specifically address and define the process of communication. This serves as a formal way to communicate each stakeholder’s accountability and responsibility.
- Associating Timelines with every Exception: By definition, exceptions are deviations from a process or policy. However, they are mainly provided so the business isn’t held back and so that both, the security and business teams can function together. There will be a logical deadline set so these exceptions can be tracked with clarity.
- Extending Exceptions on a Need-to basis: Although working with business is good, the organization must ensure someone assumes responsibility for such extensions on the business end. The Risk Management/Compliance team should explain the pros and cons of extending such exceptions. The key stakeholders should understand they are responsible in case of a system compromise that occurs due to an extension to exceptions. Stakeholders will be soley responsible and will be required to explain and problems that occur to a higher authority.
- Accepting Irresolvable Exceptions: Budgets have to be approved for getting rid of the existing solutions. Truth is, many businesses may not be interested in investing huge amounts into something they do not deem necessary or beneficial, to begin with. For example, a legacy payroll application hosted on a mainframe server. Moving and changing payroll is a tedious task and comes with a huge cost for migrating from older technology to a newer more efficient one.
- Developing Supporting Policies and Procedures: If the organization wants to enforce exception management as a part of Risk Management, then the organization needs to develop supporting policies and procedures which formally document how to handle exceptions in every scenario. Once the organization has proper documentation in place, then they can integrate it into the existing Security Framework.
Check out the blog on: Vendor Risk Management.