Request an exception for remediation tasks using GRC: Policy and Compliance Management

  • Release version: Xanadu
  • Updated August 1, 2024
  • 2 minutes to read

    • Request policy exceptions using the GRC policy exception management capability in the Policy and Compliance Management application from within Configuration Compliance.

    Before you begin

    Before you can use the Policy Exception Integration to request policy exceptions, you must download the GRC: Policy and Compliance Management application from the ServiceNow Store.

    Role required: sn_vulc.remediation_owner

    You can also request exceptions in the classic UI.

    About this task

    Starting with version 19.0 of Vulnerability Response, you can request policy exceptions for Remediation Tasks (RTs) in the IT Remediation Workspace. For more information, see Request an exception using GRC: Policy and Compliance Management in the IT Remediation Workspace.

    Note:
    Starting with v14.9 of Configuration Compliance, the following terms have been renamed:
    Table 1. Changes in terminology
    Terminology prior to v14.9 Terminology v14.9 onwards
    Test Result Group Remediation Task
    Group Rules Remediation Task Rules
    Policy Test group

    Procedure

    1. Navigate to All > Application Vulnerability Response > Application Vulnerable Items (or Remediation Tasks)>All, and open the item or group for which you want to request an exception.
      The selected item or group must be in Open, Under investigation, or Awaiting implementation state.
    2. On the selected form, click Request Exception.
    3. If GRC: Policy and Compliance Management is selected in the Exception Management screen, do the following.
      1. On the form, fill in the fields.
        Table 2. Request Exception form
        Field Description
        Policy Vulnerability Management policy that you’re requesting an exception for.
        Control objective Control objectives that are associated with the policy you selected. If a policy isn’t selected, all the control objectives are listed.
        Valid from Date when the exception will start. The default value is the current date. This date can’t be in the past.
        Valid until Date when the policy exception expires and when the state of the vulnerable item or group changes from Deferred to Open.
        Note:
        The number of days that the policy exception is valid can’t exceed the Maximum exception duration (days) that you set for the policy in Policy and Compliance. For more information, see Create a policy.
        Reason Reason for requesting an exception.
        Justification Details that are related to the reason why this request is being made. This field must be filled in by the remediation owner.
      2. Submit the exception request by clicking Request Approval.
        The state of the remediation task changes to In Review and a policy exception is created. Use the State Change Approval tab to track the status of the exception request.
      3. View the policy exception by clicking the Policy Exceptions related list.
      4. Click the policy exception number.
      5. In the Approver field, select the name of the approver.
      6. Click the Source tab and select a control objective from the Control objective field.
      7. Click the Risk assessment tab and select the risk rating from the Risk rating field.
      8. Save the form.
      9. Click the Impacted Controls tab.
      10. Add the controls by clicking Add.
      11. Save the form.
        Note:
        You can raise a compliance review by clicking Request compliance review.
      The approval form is sent to the approver.

      The approver can either approve the request by clicking Approve or request additional approval by clicking Request Additional Approval.

      The record state changes to Deferred. The reason stated is the one you selected when raising the exception request. The Deferral tab provides additional notes on the record.
      Note:
      If the request gets rejected, the record moves to its previous state.
    4. Click Submit.
      For more information on the Policy Exception Integration and the hand-off between the remediation owner and the compliance manager, see Policy and Compliance Management optional setup.