Differences

This shows you the differences between two versions of the page.

--- wiki:policies:exception [2023/02/07 21:13]
katcow
+++ wiki:policies:exception [2023/02/07 21:46] (current)
katcow
@@ Line 2: / Line 2: @@
+===== Purpose =====
+The purpose of this policy is to ensure that exceptions to security policies are documented and approved through an exception process.
 ===== Scope =====
@@ Line 11: / Line 14: @@
 An exception to an information security policy may be granted in the following cases:
-  * a more secure solution exists
+  * The implicated system does not have the capacity to comply with the relevant security standard.
+  * Immediate compliance would disrupt critical business
+  * A more secure or superior solution exists
+  * Compliance would adversely affect business operations
+  * A lawsuit or investigation requires exception to the relevant security policy.
+  * Compliance would cause a major adverse financial loss
+  * An emergency situation requires violation of the relevant security policy.
+=== To Request an Exception: ===
-To request an exceptions:
 Email or slack the [[wiki:policies:infosec#information_security_organization|information security team]] to request an exception. You request must contain the following information:
@@ Line 27: / Line 35: @@
   * Controls in place to mitigate risks.
-**Example: **
+=== Example Exception Request ===
-* Steve would like to share Carl's Planet Pizza Account to order Pies for after-hour work events. This violates our access control policy, which Steve is well-acquainted with, as he pays close attention during annual trainings.  Steve's request might look like the following:
+Steve would like to share Carl's Pizza Planet Account to order Pies for after-hour work events. This violates our access control policy, which Steve is well-acquainted with, as he pays close attention during annual trainings.  Steve's request might look like the following:
-  * Request: I would like shared access to Karl's Planet Pizza online Accounts.
+  * Request: I would like share access to Carl's Pizza Planet online account.
-  * Policy: Attaching the access control policy : [[https://wiki.nested-knowledge.com/doku.php?id=wiki:policies:access]]
+  * Policy: I'm attaching the access control policy: [[https://wiki.nested-knowledge.com/doku.php?id=wiki:policies:access]]
-  * Application; this affects our account on the Planet Pizza web application.
+  * Device/Application: Carl's account on the Pizza Planet web application, accessible at the website: [[https://www.pizza-planet.org/portal]].
-  * Rationale: Planet Pizza only permits one account per each business credit card.
+  * Rationale: Pizza Planet only permits one account per each business credit card.
   * Duration: Four - Six months.
-  * Risk: Passwords shared online may be intercepted, compromising our account and credit card information.
+  * Risk: Passwords shared online may be intercepted, compromising Carl's account and our business credit card information.
-  * Mitigation:
+  * Mitigation: To limit risks, credentials will be shared face-to-face verbally. We will change the account password every 6-8 weeks.
-----
-* For example, attach the Access Control Policy if you are requesting to share an account to a software platform with another employee.
+===== Compliance =====
+Policy exception requests will be reviewed monthly or as they occur.
 ===== Revision History =====
+^Author^Date of Revision/Review^Comments/Description|
+|K. Cowie|02/07/2023|Draft Completed|
+[[:wiki:policies|Return to Policies]]

Nested Knowledge

User Tools

Site Tools

Differences

Page Tools