Death by Exception
November 15, 2011
As an assessor, I’m tasked with reviewing client’s policies to not only to determine if they are sufficient, but to also evaluate if they are being adhered to. For years, if a policy or procedure was not being followed, I’d assure my clients that exceptions were OK and absolutely expected just as long as they were aware of them. The advice was well received and clients put procedures in place where exceptions were identified, reviewed, and approved…and everyone lived happily ever after, THE END. Naïve, I know.
And so these organizations continued with their exception procedures, year after year, until eventually exceptions became the rule. Month after month, review after review, exceptions became a strategy for departments when they needed to bypass certain security requirements, thus creating a black hole of exceptions never to be seen or heard from again. Eventually, meeting the requirements became the rarity.
Exceptions, much like compensating controls in PCI, were not meant to be permanent. They are usually given when certain processes, practices, applications, or implementations are unable to meet established requirements. The idea is to get the exception so operations can continue, not to get it and forget it. Although organizations have become great at obtaining exceptions, they’ve failed at managing those exceptions. As I am exposed to new and different environments, I’m quite surprised at how common exception black holes have become.
As I mentioned, exceptions are not permanent and should be reevaluated periodically. When an exception is originally requested, it should also include remediation plans for eventually complying with the business requirement. Their periodic review should be an evaluation of the status of the remediation and to determine if other actions need to be taken to mitigate risk.
What I’ve found is by not managing exceptions; organizations have put themselves in a precarious position. Although exceptions are usually reviewed and approved by a central committee/group, the organization doesn’t do a good job of tracking the amount of exceptions they have approved. By not tracking exceptions executives lose perspective on the amount of risk they have actually accepted. After performing an assessment on a few hundred departmental applications at one company, management was shocked to discover that almost 90% of the applications did not comply with policy but instead went through the exception process. This revelation is what most organizations are missing out on. The “exception big picture” is hidden from upper management while maintained in departmental vacuums. Exceptions are not a get out of jail free pass, but are last resorts that still need to be reviewed and managed.
Fear Not the Assessor 
This is a great post and point. (shameless product plug) This is one of the reasons that we (LockPath) have included automatic triggers in our Exception tracking capability within our Risk Manager product; so that exceptions can be tracked and revisited on a regular, recurring basis, while being attached to specific people and policies+controls. Thanks for writing this!
[…] jail free pass, but are last resorts that still need to be reviewed and managed.Cross-posted from TopHeavySecurity Share This! | var addthis_config = […]
One word … Microsoft. This explains why there are *so* many security vulnerabilities in Microsoft software products – because everyone from Balmer on down through EVPs and VPs and GMs place “ship it” ahead of “quality”. The good news is, when they do things like NIST ATO efforts, if the auditors are honest then these things get exposed. Of course, when the auditors (or the people who write the SSP) are less than honest, …