Policy Exceptions

John C · ‎08-02-2022

Hello,

I have been trying to get a better understanding of how others are using the Out of the Box Policy Exception module in ServiceNow.

To me, the process seems a bit counterintuitive in that approvals are the responsibility of control owners and the requestor’s manager. In many cases I have seen, the requestor tends to be the control owner meaning they or their manager can just approve their own exception requests. I understand having a more robust and business integrated CMDB could solve this issue. However, I feel many companies are not at that point in CMDB maturity and IT SME's still own system and application controls.

Also, it seems strange that whoever is the listed Approver doesn't actually do any approving. For some risks in the organization we would want members of the executive team to sign off since the responsibility of critical or high risks should not fall to a manager or even director in some cases. Yet, there is no way outside of approval rules or assigning them to a control to include them in the process. The approval rules are a great addition, but are static and I have not found a way to easily generate approval flows without customization.

Lastly, it seems by default SNOW wants exceptions generated from the Vulnerability Response module to just be automatically approved since nearly no information is provided from those requests naturally. Without some customization, Risk analysts have to go digging for further information incurring a ton of extra time spent trying to process those exceptions.

At the moment we have our entire Policy Exception process customized to fit a flow we created, but that is also causing headaches since it clashes with other Out of the Box processes.

If someone has a success story or tips on how they successfully implemented SNOW out of the box Policy Exceptions I would love to hear them for guidance!

John C.

Donte Hooker1 · ‎08-03-2022

You may want to consider looking into the approval rules and verification rules. Using these you can configure the workflow as needed without customizing the policy exception solution

Lucky10 · ‎08-08-2022

We are currently implementing this function. It appears the OOB functions have been changed on the front end.

The listed approver is actually the "Assigned To" field, so if you are processing several items(quantity) over a larger team, you may want to evaluate putting that back to assigned, creating a separate approver field, and using flow designer to request the proper approvals. The OOB approval workflows (flow designer) are easily updated or deactivated.

You will also notice that the UI actions for "Requesting more information" may cause some issues. Run through the process end to end using each UI Action before you make any decisions!!

One final thing for you to note is that the OOB UI for doing a Risk assessment, using the PE Assessment/Questions no longer exists. The scripts are still there, just hidden/deactivated. We opened a support ticket with SN as there were some gotcha's in the end to end execution.

I recommend you keep details of what you change in case SN roles out a store update to correct some things.

Finally, if the VR integration is in place for PE, It should follow the base PE process.