How to Exempt a whole system (entity) with Policy Exceptions

Alex305 · ‎10-07-2022

Hi,

Looking at the Policy Exception process I was wondring if there would be a way to use policy exceptions for a specific use case.:

"My policies applies to a selected scope of Systems and I want to descope one of this systems using the Exception workflow (to have it documented and approved)."

A more specific example would be: I have a set of 10 policies for a total of 200 Control Objectives for my systems hosted in my DC. One of this system will be decommissioned in 10 month and I don't want to enter the compliance process for that system. I want to formally register an exception for that Specific system, to get it approved.

Currently I don't see how to easily map my Policy Exception to my system for all my policies

- I would need to select controls as a source and add all the controls (and thus be sure the controls are created, which might not be the case)

-OR I would need to request a policy exception for each of my policies but I don't see how to clearly map it to my system (without using the impacted controls).

Do you have any other idea how to do this in the easiest way?

Thanks !

Sebastien Fix · ‎10-10-2022

Based on your use case there is no need for policy exception: once an entity is retired / set to inactive; all related controls are retired and will not longer be attested. This is a scheduled job running every 5 min OOTB. So if you maintain a decent CMDB, and use Entity Filters to maintain your Entity Types ("scope of systems"); SN will take of it for you.

If you have such a large range of policy exemptions for specific "scope of systems", then just re-scope your entity types to assign more relevant set of policies against them.

Policy Exemptions are meant to be exemptions 🙂

Alex305 · ‎10-11-2022

Thanks for your reply Sebastien, what you describe is very clear to me.

But if you look at the example I give you would understand that there is a risk from descoping the system as it is still in production but I didn't want to spend any time on it as I will decommission it soon. So I want somebody to formalize this assessment and accept/reject the risk. I think the exception workflow would qualify for that but it is still unclear how to make it work.

Sebastien Fix · ‎10-12-2022

Ah, so you do want the risk assessment to be run until decommissioning - but then run a policy exception to the controls related to those risks?

Alex305 · ‎10-20-2022

That would be indeed a solution but I was looking for something even without creating the controls... It's maybe because we took a wrong approach in the way we deploy controls.... Thanks for your replies.