policy exception guidelines
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
11-21-2024 05:58 AM
Hi,
This is not a technical question, but more user training,
Background:
My client is implementing policy and policy exceptions, and wants assistance on how to provide guidelines to the organization, on when a policy exception is reasonable and when it is not.
In other words, the organization should not be raising policy exceptions without good reason.
Question:
Does ServiceNow provide an OOB list/guideline for when a policy exception can be used, and when it cannot be used?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
11-21-2024 09:41 PM
Hi,
Servicenow doesn't provide the list, according to my understanding it is depending on use case that you are client is implementing.
There are few cases which i am aware
1. Policy exception can be raised against policy through acknoweldgement campain
2. Can be raised against control objectives
3. Can be raised against issue
Example:
Let's say organization has a policy which is applicable for employees, where org sends acknowlegdment to all employees to acknowlegde for being adhere to policy. In this case if some employee wants to take relaxation from this policy for temporary period of time then he can raise policy exception against it.
I know this is more of functional query, i hope my answer will be of some help
Thank You!
Meghashree
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
3 weeks ago
So if a policy exception is raised against a control/ control objective, once its approved does it result in making the control compliant or just buys some time /temporary relief for the requestor to fix any underlying issues and be ready to be compliant ?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
3 weeks ago
@Kaustav Mukherj Yes, if policy exception is raised against a control, once it is approved, control will be set to "compliant" with exemption and all associated attestations will be cancelled until valid to date of exception
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
3 weeks ago
Thanks .
But what is the rationale behind logic of making the control "compliant ", once an exception is approved, because getting an exception doesn't contribute anything in reducing the risk for which the control was there in the first place. Showing a control compliant with an exception provided a false sense of security.
