ID.RA-07.171

Does your organization maintain documentation of risk assessments and mitigation plans for all security policy exceptions?

Explanation

This question assesses whether your organization formally evaluates and documents the risks associated with any exceptions to security policies, along with specific plans to address those risks. For example, if an exception is requested to allow a legacy system to operate without current patches, the documentation should identify potential vulnerabilities and specify compensating controls like network segmentation or enhanced monitoring. Evidence could include a formal exception management document that contains risk assessments for each exception, identified risk levels, mitigation strategies, implementation timelines, and approval signatures from appropriate stakeholders. This document should demonstrate that exceptions are not granted without thorough risk analysis and mitigation planning.

Implementation Example

Document the risks related to each requested exception and the plan for responding to those risks

ID: ID.RA-07.171

Context

Function: ID: IDENTIFY
Category: ID.RA: Risk Assessment
Sub-Category: Changes and exceptions are managed, assessed for risk impact, recorded, and tracked

ResponseHub is the product I wish I had when I was a CTO

Previously I was co-founder and CTO of Progression, a VC backed HR-tech startup used by some of the biggest names in tech.

As our sales grew, security questionnaires quickly became one of my biggest pain-points. They were confusing, hard to delegate and arrived like London busses - 3 at a time!

I'm building ResponseHub so that other teams don't have to go through this. Leave the security questionnaires to us so you can get back to closing deals, shipping product and building your team.

Neil Cameron

Founder, ResponseHub