In the context of information risk and security management, I define and use the terms "exemption" and "exception" quite deliberately.
“Exceptions” are unauthorized non-conformance or non-compliance situations. For example if the organization has a policy to use multi-factor authentication for all privileged system accounts, a privileged account that only has single-factor auth for some reason (maybe an oversight or a practical issue) would constitute an exception, something that has not [yet] been officially notified to, risk-assessed and accepted, authorized, permitted or granted by management.
Depending
on the circumstances and the nature of the information risks, identified exceptions
may be classed as issues or events, perhaps even incidents worth reporting and
managing as such.
“Exemptions”
are where management has formally considered and risk-assessed non-conformance or non-compliance
situations and explicitly authorized or agreed that they should continue –
perhaps with compensating controls, for a defined limited period, and with
clear accountability for the associated risks. So, for instance, the information risks
associated with only having single-factor auth on a test system may be
acceptable to management if the control costs are deemed excessive in that
situation … but the exemption might be only for the duration of the
testing, and on the condition that the test system only has access to test
data not live/production data, with the Test Manager accepting personal accountability for the associated information risks.
Exemptions do not constitute issues, events or incidents unless:
- The situation at hand varies substantially from that authorized e.g. if the compensating controls are not actually in operation, or if the authorized exemption period has expired (yes, even exemptions have to be complied with ... perhaps implying the need for compliance checks and other control measures if the information risks are significant);
- The information risks are materially different from those accepted e.g. if they were misunderstood or misstated/misrepresented when someone applied for the exemption. If incidents have occurred on the test system that would have been prevented by multifactor auth, that suggests the need for management to revisit the authorization of the exemption and perhaps hold the Test Manager to account for the incidents, demanding appropriate corrective action.
The distinction implies processes or activities
for identifying, evaluating and treating the information risks - conventional risk management, in fact, applied rationally according to the differing circumstances.
The critical distinction between exemptions and exceptions is not the amount of risk, or management's knowledge of the situation, or even the authorization: the distinction ultimately comes down to accountability. There are information risks associated with both exemptions and exceptions, but with exemptions an individual explicitly accepts the risks, whereas with exceptions the risks are left floating in mid-air ... which means 'management' as a whole accepts them implicitly and severally, since they fall within management's governance obligations.
No comments:
Post a Comment