Manage exceptions to your cybersecurity policy


A good cybersecurity policy sets the expectation for what security controls your organization needs to have in place. But your organization may have certain legacy systems that aren’t able to meet every aspect set out in your policy. Or you may have weaknesses in your cyber defenses that your management team knows about.


All too often, we see organizations condone exceptions when certain policy requirements can’t be met. While there could be a valid reason for an exception, these are things an attacker can use to breach your organization, so they need to be managed and corrected to make sure you’re continuously improving your ability to resist a cybersecurity attack.


Next steps

  • Conduct a thorough vulnerability assessment and a risk assessment: These assessments will allow you to identify areas were you’re not meeting your cybersecurity policy today.
  • Document the exceptions where your systems aren’t capable of meeting your cybersecurity policy: These exceptions need to be well-defined. Also, an executive manager who is ultimately responsible for making sure the exception is resolved needs to be assigned. Set an expiration date at which you will review progress on remediating the exception and determine whether the exception needs to be extended.

Review exceptions nearing expiration: Periodically review exceptions and make sure progress is being made to resolve them. Just like any other corrective action, you need to monitor progress and empower and hold accountable those who have been designated to resolve the exception.