Death by Exception

Tuesday, November 15, 2011

Michelle Klinger

Ba47ee356d05807f7e87764f6d3f7e12

As an assessor, I’m tasked with reviewing client’s policies to not only to determine if they are sufficient, but to also evaluate if they are being adhered to. 

For years, if a policy or procedure was not being followed, I’d assure my clients that exceptions were OK and absolutely expected just as long as they were aware of them. 

The advice was well received and clients put procedures in place where exceptions were identified, reviewed, and approved… and everyone lived happily ever after, THE END.  Naïve, I know.

And so these organizations continued with their exception procedures, year after year, until eventually exceptions became the rule.  Month after month, review after review, exceptions became a strategy for departments when they needed to bypass certain security requirements, thus creating a black hole of exceptions never to be seen or heard from again.

Eventually, meeting the requirements became the rarity.

Exceptions, much like compensating controls in PCI, were not meant to be permanent.  They are usually given when certain processes, practices, applications, or implementations are unable to meet established requirements.  The idea is to get the exception so operations can continue, not to get it and forget it. 

Although organizations have become great at obtaining exceptions, they’ve failed at managing those exceptions.  As I am exposed to new and different environments, I’m quite surprised at how common exception black holes have become.

As I mentioned, exceptions are not permanent and should be reevaluated periodically.  When an exception is originally requested, it should also include remediation plans for eventually complying with the business requirement.  Their periodic review should be an evaluation of the status of the remediation and to determine if other actions need to be taken to mitigate risk.

What I’ve found is by not managing exceptions, organizations have put themselves in a precarious position.  Although exceptions are usually reviewed and approved by a central committee/group, the organization doesn’t do a good job of tracking the amount of exceptions they have approved. 

By not tracking exceptions executives lose perspective on the amount of risk they have actually accepted.  After performing an assessment on a few hundred departmental applications at one company, management was shocked to discover that almost 90% of the applications did not comply with policy but instead went through the exception process. 

This revelation is what most organizations are missing out on.  The “exception big picture” is hidden from upper management while maintained in departmental vacuums. 

Exceptions are not a get out of jail free pass, but are last resorts that still need to be reviewed and managed.

Cross-posted from TopHeavySecurity

Possibly Related Articles:
6473
Policy
Information Security
Enterprise Security Risk Management Controls Assessments Policies and Procedures Remediation Exceptions
Post Rating I Like this!
Default-avatar
M A Living this Nightmare @ my corp--So True
1321464618
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.