Hello,

I have couple of questions related to exception process when we enable the setting of manage exceptions using GRC: Policy and Compliance within Vulnerability Response -> Administration -> Exception management.

1. It seems like out of the box, we won't be able to create Exception rules when we enable the setting of manage exceptions using GRC: policy and Compliance? Does anyone know the reason why OOTB doesn't allow the creation of exception rules?

2. Exception rules can be created to auto defer VIT's if we are using Vulnerability Response exception management process. How can we achieve same functionality using GRC exception process?

3. Once the exception is created for either VIT or Remediation task, it seems like selection of impacted controls is mandatory when the exception is in "Analyze" state. Does this mean we need to create entities (in IRM) for each and every CI present in the CMDB and generate controls for them so that these controls can be added as impacted controls for an exception? If anyone has experience dealing with similar use case, please share your thoughts. I feel like generating entities and controls for each CI in the CMDB is bit too much.

I would highly appreciate if anyone from SecOps product team provide their insights on the best practices of using Exception management functionality leveraging GRC: Policy and Compliance.