wiki:policies:exception
Differences
This shows you the differences between two versions of the page.
| Both sides previous revision Previous revision Next revision | Previous revision | ||
|
wiki:policies:exception [2023/02/07 21:04] katcow |
wiki:policies:exception [2023/02/07 21:46] (current) katcow |
||
|---|---|---|---|
| Line 2: | Line 2: | ||
| + | ===== Purpose ===== | ||
| + | |||
| + | The purpose of this policy is to ensure that exceptions to security policies are documented and approved through an exception process. | ||
| ===== Scope ===== | ===== Scope ===== | ||
| Line 11: | Line 14: | ||
| An exception to an information security policy may be granted in the following cases: | An exception to an information security policy may be granted in the following cases: | ||
| - | * a more secure solution exists | + | * The implicated system does not have the capacity to comply with the relevant security standard. |
| + | * Immediate compliance would disrupt critical business | ||
| + | * A more secure | ||
| + | * Compliance would adversely affect business operations | ||
| + | * A lawsuit or investigation requires exception to the relevant security policy. | ||
| + | * Compliance would cause a major adverse financial loss | ||
| + | * An emergency situation requires violation of the relevant security policy. | ||
| - | + | === To Request | |
| - | To request | + | |
| Email or slack the [[wiki: | Email or slack the [[wiki: | ||
| Line 20: | Line 28: | ||
| * Your name | * Your name | ||
| * The implicated policy. | * The implicated policy. | ||
| - | * For example, attach the Access Control Policy if you are requesting to share an account to a software platform with another employee. | ||
| * The device or application affected by the request. | * The device or application affected by the request. | ||
| * [[wiki: | * [[wiki: | ||
| Line 27: | Line 34: | ||
| * Assessment of risks. | * Assessment of risks. | ||
| * Controls in place to mitigate risks. | * Controls in place to mitigate risks. | ||
| + | |||
| + | === Example Exception Request === | ||
| + | |||
| + | Steve would like to share Carl's Pizza Planet Account to order Pies for after-hour work events. This violates our access control policy, which Steve is well-acquainted with, as he pays close attention during annual trainings. | ||
| + | |||
| + | * Request: I would like share access to Carl's Pizza Planet online account. | ||
| + | * Policy: I'm attaching the access control policy: [[https:// | ||
| + | * Device/ | ||
| + | * Rationale: Pizza Planet only permits one account per each business credit card. | ||
| + | * Duration: Four - Six months. | ||
| + | * Risk: Passwords shared online may be intercepted, | ||
| + | * Mitigation: To limit risks, credentials will be shared face-to-face verbally. We will change the account password every 6-8 weeks. | ||
| + | |||
| + | |||
| + | ===== Compliance ===== | ||
| + | Policy exception requests will be reviewed monthly or as they occur. | ||
| ===== Revision History ===== | ===== Revision History ===== | ||
| + | |||
| + | |||
| + | ^Author^Date of Revision/ | ||
| + | |K. Cowie|02/ | ||
| + | |||
| + | |||
| + | [[: | ||
| + | |||
wiki/policies/exception.1675803885.txt.gz · Last modified: 2023/02/07 21:04 by katcow
Except where otherwise noted, content on this wiki is licensed under the following license: CC Attribution-Share Alike 4.0 International
