Exception Types in IT GRC Programs

Exception management is essential to managing an IT GRC management program. In some instances, assessments, alerts, or incidents reveal evidence of noncompliance that relate to specific technologies or services. However, it is not always possible or economical to immediately remediate discovered issues.

In these instances, the decisions and ensuing activities are documented as exceptions to the IT GRC management program. Exception management provides for the creation, approval, constraint definition, execution, and tracking of justifiable exceptions to control and asset applicability.

The Process Pack for IT GRC supports the following types of exceptions:

Control activity scope exceptions. This type of exception allows a user to exclude specific control activities from being included in compliance scoring.
For example, an IT pro manages a line of business applications that does not support passwords greater than six characters. The organization’s configuration policy requires all passwords to be a minimum of eight characters. The application is slated to be retired within the next six months, but it is undesirable for the computers running the application to be on the noncompliance reports for the next six months. The IT pro requests an exception for the computers running the application so that they will be noted on future reports but not negatively affect compliance reporting until the application is retired. The exception will include any control activities that require a password greater than eight characters.
IT GRC program scope exceptions. This type of exception excludes specific computers from within the scope of an IT GRC program.
For example, an IT pro discovers that four virtual machines in a test environment were incorrectly included in the scope of their PCI audit management program, which has been running for seven months. Because the virtual machines do not have any actual production or sensitive data on them, they should never have been included in the program scope. To resolve this problem, the IT pro requests an exception, which will exclude the four virtual machines when scoring the PCI Audit program and properly notate the audit reports. The exception will include all control activities for these four virtual machines.
GRC policy exceptions. This type of exception excludes control activities that are not applicable to the organization.
For example, a program implementer looks at a compliance report for a PCI audit management program and discovers that one of the control activities has only failing results. After reviewing the control activity, the program implementer determines that the control activity was incorrectly added to the program and is testing a requirement that does not apply to the organization. The program implementer requests an exception to exclude this control activity from all future compliance reports for the remainder of the audit year.

After the exception is submitted, it must be approved using Service Manager Work Item Review Activity. After approval, the exception will be applied to the IT GRC compliance scoring and reports.