What should a policy exception include?

author: Verified Expert

• Related article: cia-production-change-policy-exception-controls-map
• Related question-bank placeholders: ["policy-exception-required-elements", "manager-authorization-limits"]
• Question: What should a policy exception include?
• Question detail:
• I see exam questions where management wants to bypass a security or operations policy. What makes an exception acceptable?
• Answer:
• A policy exception should identify the policy being excepted, the exact deviation, the business justification, the risk owner, the authorized approver, compensating controls, expiration date, monitoring requirements, and the plan to return to normal compliance.
• The exception should be documented before the deviation when feasible. If the situation is urgent, the organization should still document the decision as soon as possible and perform after-the-fact review.
• The mistake is treating a manager's request as enough. The approver must have authority over the policy and the risk. Otherwise, the request should be escalated to the appropriate control owner or governance channel.