March 5, 2019
What’s good for business may come with added risk. In fact, many incidents are the direct result of policy violations. For risk management with business needs in mind, maybe the answer isn’t nay or yea but a more nuanced approach. One that allows for exceptions, as well as helps address risk.
A security organization can be a complex structure, it can lay out frameworks, processes, procedures and policies. However, during day to day operations it is likely that organizations run into a situation that violates existing policies and procedures. Risks, they are unavoidable, and the key is to identify that exposure and that is where risk exception begins. Risk exception recognizes and area where you are not compliant with in regard to laws, policies or regulations. The resources are at risk for exposure to malicious activity or for penalties due to non-compliance.
Risk exception is best explained using an example:
Let’s assume that an organization has a policy to remediate all of their exposures within five months from the date of reporting. The organization has recently conducted a security assessment from a third-party auditor who has raised several security issues in the with data at rest within the organization and they’re on premises datacenter/servers are easily penetrable. The organization states they have a logical solution to this problem; however, it may not be feasible to fix this exposure in the five-month timeframe. This is where risk exception comes into play.
Implementing Risk Exceptions as a part of a Security Framework:
The organization should take it one step further and implement exception management as a part of their security framework where they can handle exceptions and have proper policies and procedures defined. This will assist the organization handle exceptions and also provide assurance to senior management. This way, the organization will see security framework as a business enablement rather than considering it as a procedural hindrance. In order to implement this for the Compliance and Risk Management team we will need to consider the following:
Developing Supporting Policies and Procedures – If the organization wants to enforce exception management as a part of Risk Management, then the organization needs to develop supporting policies and procedures which formally document how to handle exceptions in every scenario. Once the organization has proper documentation in place, then they can integrate it into the existing Security Framework.