VR Exception Management Tips and Tricks

Eliz Skogquist · ‎11-20-2023

Our "Success with Vulnerability Response" series of recommended practices deep-dive webinars continues. We recommend all Vulnerability Management programs have an approved exception process, to maintain compliance with company policies. ServiceNow provides the option to have the Risk and Compliance teams a part of the vulnerability exception approval. Jamie Jackson, Sr. Product Success Manager, SecOps and myself, Sr. Product Success Manager, SecOps teamed up to share insights on how to get these capabilities in place. The webinar presents:

Exception Management (VR)

Approval Rules
Exception Rules
False Positives
Risk Reduction

Using Policy Exception (GRC license, required)

Integration setup
Verification Rules
Approval Rules
Extensions

Watch the webinar recording here:

Resource Links

ServiceNow Documentation - using VR

ServiceNow Documentation - using GRC: Policy Exception

Question	Answer
Are there any plans to implement risk reclassification feature outside to the vulnerability workspace?	Currently most enhancements are planned for the workspace. At this time it is not scheduled to be available from the native UI.
Can we add reasons or only OOB reasons?	You can add more reasons, to have them align with your organization's acceptable reasons.
Can we do exception rules based on Qualys ID?	Yes, you can condition on any field you can access from the table.
Can you configure where a rejection goes back to, i.e. reject back one level, or reject back to first approver	Not OOB. You’ll have to make customizations to the flow in order to achieve approval loops.
Do you make a distinction between deferred and risk accepted? In my mind deferred is just an action with longer time line, risk accepted means we will not do anything	This can be done through the Reason. One of the deferral reason is “Risk Accepted”.
Do you need to except per VI? or can you group VI's?	You can request an exception for a vulnerable item or a Remediation Task (which applies across all VIs in the group).
Does this also allow this to be changed, if Rem Owner says low risk but it is high how do we correct, or do we reject completely?	Currently the Approver does not have the option to select a risk level that wasn't requested. It would require customization.
Exception rule automation continues to work as defined even after implementing GRC/IRM management for the other manual exceptions, correct?	Yes, that’s correct, all requests will follow the configuration for exception. If Vulnerability Management is selected, even if IRM is licensed and implemented, the approval process remains as defined for Vulnerability Management. Only when the Exception Management configuration is changed to GRC: Policy and Compliance will the set-up for that approval flow be needed for its use.
For Exception Rules, when we create them and choose the check box for run on existing vulnerabilities, why doesn't the existing VITs change from OPEN to IN REVIEW like it does for standard Exception Requests?	The VIs will be automatically moved to deferred once the exception rule has been approved and executed. Only at that time are the VIs that meet the condition grouped, and set to a matching state: deferred.
For the questionnaire, is it possible to have the questionnaire work with bulk edit? We have found that the questionnaire is not called up when bulk edit is used to submit exception requests.	We’ll will have a look at that capability. You can also raise a request in the idea portal for this feature.
How are existing remediation tasks affected when applying an exception rule? From my understanding, the vulnerable items remain in those tasks. Is there a way to have them removed?	The vulnerable items currently in a remediation task, remain in that task(s), and are added to the new deferral task created by the exception rule. If you wanted them removed, it would be a customization.
How does this process work with mass exceptions from VR? Does it operate similarly from the list view?	Mass exceptions can be done with an exception rule. It wouldn't be triggered from the list view.
How many approval levels are possible for VR?	There in no limit to it. It is configurable to included as many levels as are needed.
I was thinking that "entity" would be a standard field on the request screen in addition to control objective	This is mostly on the GRC side, hence would suggest to check in the docs once.
If I wanted to setup an approval that went to an individual, but also wanted their manager to be able to approve the exception in case that individual is not available. Is there a way to do that in a way in which the manager does not get the notifications around the approval itself? So only the individual gets the approval. Almost like a stand-in feature	You can set up a delegate for the individual to be the manager for approvals. This is a platform capability that can be leveraged for this requirement.
If you switch the configuration to use GRC, what happens with the existing deferrals? Is there anything we would need to do to go through those records?	The existing deferrals will reamin as is. Only the new deferrals will go through GRC.
Is GRC now IRM?	Yes, IRM is a broader reference to the suite of solutions available for that space.
Is it possible to configure an exception that allows for VI's to be added at a date after approval?	The VIs be added post the approval only, and don't apply until the Valid from date. If you processed the request for exception rule approval ahead of the Valid from date, and approval occurs before that date, VIs will only be added after the Valid from date.
Is it possible to delete SDIs for retired CIs? The delete command is not available?	Deleting discovered items is not recommended. You can use auto-close to close the VITs for the retired CIs.
Is Risk Reduction only in the workspace view?	Yes, the new functionalities will mostly be released in the workspace.
is there a way to have assignment rules set-up to trigger on re-opens. Im told currently it only works for initial finds, but if its closed and then re-opened the rules dont work.	You can update the BR to make the change for assignment rules to run on re-open. But OOB, on reopen the vulnerability and the CI remains the same, hence the assignment group should not need updating.
is there closed loop validation plans on these mitigating controls or just the end user indicates what they think is mitigation	Confirmation of the mitigating control would be within the customer's process. Currently, there is no automated check on a mitigating control in place.
It would be helpful if you could add a record preview similar to assignment rules in the exception rules, thanks!	That seems reasonable. Can you please log a request in the idea portal for this? We can have a discussion internally on this.
Please share link where we can view past recordings	The Success with VR webinar series recordings can be found out on Community, in the Security Operations group For new VR customers > Articles: https://www.servicenow.com/community/for-new-customers-vr-articles/tkb-p/secops-vulnerability-respon...
Prisma automatically ingests cloud misconfigurations, but the findings are stored as CTRs. we want to process deferrals for ALL vulnerabillities the same way, regardless of the vulnerability source	Exception requests are available in Configuration Compliance, and work with Approval Rules in the same way.
Right....but that is different than Standard Exceptions. It can take weeks before the rule is approved. And in the meantime those VITs will 'Miss Target'. So invariably, we have to submit an Exception Rule AND a regular Exception Request so that the identified go into the IN REVIEW state and we don't get 'dinged' for non-compliance.	From the product perspective, if the exception rule has been approved, it doesn’t make sense to raise different requests for each VIT. In case you would like to go via that approach, you can customize it.
Can high risk have more approvals, low risk less approvals?	Yes, you can configure the approval rules in this fashion.
Can we have 3 levels required for approval for VR?	There is no limit to the number of approvals you can configure.
The only difference I see with VR exception Requests and GRC policy Exception is Flexible Approval flow, verification, and Policy Exception approves. Correct?	Yes, that’s correct! Also, with VR, you can create exception rules, to have certain conditions move VITs into deferral on ingestion.
This is the title of my idea on the Idea Portal Site. Change state of VITs to IN REVIEW when 'Execute on Existing Data' is selected for Exception Rules	Thank you for sharing your ideas. Requesting any other customers who favor this idea to go into Support, on the Idea Portal and up vote it. That would have the enhancement get prioritized for earlier scheduling/release.
We require teams to request and provide evidence as to why they want it - then the admin determines if it will accept the risk and Perm for 1 year	Evidence can be attached and sent for the approval.
What about for vulnerabilities not stored in the VIT table? For example: container vulnerabilities in CVIT table	CVIT also has the capability to have an exception/deferral requested, or exception rule executed on it.
When using the GRC Exception process, is there any automation when an exception is approved to map back to the VIT or VUL "Until" date to defer them based on a date from the exception like it does when using the VR exception property?	The Policy Exception process once approved, will map the Until date back to the VIT/VUL.
Will there be a False Positive Rule feature?	Currently, we don’t have that in the roadmap. Please raise a request in the idea portal and as we hear from other customers as well, it will be considered.
Currently, with questionnaire we have seen if the request is canceled it does not cancel in system and still submits. Is this fixed?	We are aware of this issue and are actively working with the other teams to resolve this.

Rich32 · ‎02-14-2025

@Eliz Skogquist are the videos still available?

Eliz Skogquist · ‎02-18-2025

Rich32,

Is the webinar video not playing for you? When I tested it from within the article it played. Please advise.

Elizabeth

June · ‎02-24-2025

This happens to me when I use Edge but not Chrome.

ositamefor · ‎06-24-2025

Since they don't have access to exception rules, what is the best way for the remediation owner to easily submit Exception Requests for vulnerabilities, rather than submitting a request for each remediation task?

Eliz Skogquist · ‎06-24-2025

Hi ositamefor,

Bulk edit is available for exception across multiple Remediation Tasks in the Vulnerability Manager Workspace. See docs: https://www.servicenow.com/docs/bundle/yokohama-security-management/page/product/vr-vulnerability-ma....

As well, "Exception rules to be available when the GRC Exception Management configuration" is planned for December 2025.