Death by Exception

November 15, 2011

As an assessor, I’m tasked with reviewing client’s policies to not only to determine if they are sufficient, but to also evaluate if they are being adhered to.  For years, if a policy or procedure was not being followed, I’d assure my clients that exceptions were OK and absolutely expected just as long as they were aware of them.  The advice was well received and clients put procedures in place where exceptions were identified, reviewed, and approved…and everyone lived happily ever after, THE END.  Naïve, I know.

And so these organizations continued with their exception procedures, year after year, until eventually exceptions became the rule.  Month after month, review after review, exceptions became a strategy for departments when they needed to bypass certain security requirements, thus creating a black hole of exceptions never to be seen or heard from again. Eventually, meeting the requirements became the rarity.

Exceptions, much like compensating controls in PCI, were not meant to be permanent.  They are usually given when certain processes, practices, applications, or implementations are unable to meet established requirements.  The idea is to get the exception so operations can continue, not to get it and forget it.  Although organizations have become great at obtaining exceptions, they’ve failed at managing those exceptions.  As I am exposed to new and different environments, I’m quite surprised at how common exception black holes have become.

As I mentioned, exceptions are not permanent and should be reevaluated periodically.  When an exception is originally requested, it should also include remediation plans for eventually complying with the business requirement.  Their periodic review should be an evaluation of the status of the remediation and to determine if other actions need to be taken to mitigate risk.

What I’ve found is by not managing exceptions; organizations have put themselves in a precarious position.  Although exceptions are usually reviewed and approved by a central committee/group, the organization doesn’t do a good job of tracking the amount of exceptions they have approved.  By not tracking exceptions executives lose perspective on the amount of risk they have actually accepted.  After performing an assessment on a few hundred departmental applications at one company, management was shocked to discover that almost 90% of the applications did not comply with policy but instead went through the exception process.  This revelation is what most organizations are missing out on.  The “exception big picture” is hidden from upper management while maintained in departmental vacuums.  Exceptions are not a get out of jail free pass, but are last resorts that still need to be reviewed and managed.