policy exception guidelines
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
11-21-2024 05:58 AM
Hi,
This is not a technical question, but more user training,
Background:
My client is implementing policy and policy exceptions, and wants assistance on how to provide guidelines to the organization, on when a policy exception is reasonable and when it is not.
In other words, the organization should not be raising policy exceptions without good reason.
Question:
Does ServiceNow provide an OOB list/guideline for when a policy exception can be used, and when it cannot be used?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
2 weeks ago
What else would be the reason for a policy exception?
You do have a situation where you can't be compliant, therefore you do need an exception. Once this exception is approved it means you are allowed to be not compliant for a defined period of time. That is the definition of a policy exception and means you have approval not to be compliant => from an audit point of view you are compliant at this moment. To get an approval you still have to do a risk assessment/evaluation and define possible mitigations to reduce the risk.
This way a policy exception will help you e.g. in a situation where you have to complete a process to a sepcific date and are not able to meet the date for whatever reason. Policy exception would be one way to give you the time you need to complete the process and be compliant in the end again and in the time inbetween. From an audit & compliance point of view this can be very important.
If it is not for a (short) limited amount of time you will have to use risk management.
This is what Governance, Risk and Compliance is all about.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
2 weeks ago
In think my question is not properly understood. I am very much clear on the purpose an exception serves -approval to have temporary relief for a defined period of time. What I am questioning is on the fundamental logic to change the state of a control with exception. I think what is being confused here is between "exception" & "exemption" - sounds familiar but different in concept. We cannot eliminate the concept of risk and look all of these in isolation.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
3 weeks ago
Thanks.
But what is the rationale behind the logic of making the control as "Compliant" once an exception is raised and approved, because getting an exception doesn't contribute in any way to reduce the risk for which the control was there in the first place. So, making a control compliant because of an exception provides a false sense of security.
