S 2.380 Granting exceptions

Initiation responsibility: IT Security Officer, Supervisor

Implementation responsibility: Supervisor, IT Security Officer

In individual cases, it may make sense or be necessary to make exceptions to the rules specified in a security policy. Exceptions should be avoided whenever possible, but it is always better to make an exception than to adhere inflexibly to a policy that is impossible to follow in some specific, individual cases. If such exceptions occur frequently, then this could indicate that the existing security policies need to be reconsidered and possibly adapted accordingly.

In any case, though, exceptions must be approved by an authorised body. Both the specialists responsible, being the "owners" of information and applications, and the security management must be involved in the approval procedure for exceptions. All exceptional cases must be examined closely to see if they undermine the security policies. A risk assessment must be performed for this purpose. Exceptions must only be granted when the risk level assessed is considered tolerable.

Granted exceptions should only be allowed for a specific, limited time. The approved exceptions must be checked regularly (no later than every 12 months) to see if they are still necessary and if the exceptions expiring at that time should be cancelled or extended again after expiration.

Afterwards, justification for the exception should be provided in writing and signed by the person responsible.

A documented procedure should be available for granting exceptions. The procedure should document the following at a minimum:

• reasons why it is necessary to deviate from the security policies and which rules are affected by the exception,
• description of the format of an exception as well as an account of the effects of the exception and determination of the areas affected by the exception, including the risk assessment,
• the time at which the exception was granted,
• applicant and person granting the exception,
• period of time and expiration date of the exception.

All employees affected by a deviation from the currently valid security policies must be informed of the exception.

Review questions:

• Is there an approval and documentation procedure available for granting exceptions?
• Is an overview of all exceptions granted available?
• Are there understandable reasons for all exceptions?
• Are the possible consequences of exceptions analysed and was the risk assessed considered acceptable?
• Is it ensured that all exceptions granted are cancelled as soon as they are no longer required?