Policy Exception Integration with Vulnerability Response

  • Release version: Australia
  • Updated March 12, 2026
  • 5 minutes to read
    • Summarize
    Summarized using AI
    This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.

    Summary of Policy Exception Integration with Vulnerability Response

    Beginning with Version 10.1, ServiceNow customers can request policy exceptions through the GRC policy exception management feature in the Policy and Compliance Management application, integrated with the Vulnerability Response application in Version 10.3. This integration allows for efficient handling of policy exceptions related to vulnerabilities.

    Show full answer Show less

    Key Features

    • Assessment Capabilities: Gather additional information about exception requests through assessments.
    • Specific Requests: Request exceptions linked to specific policies or control objectives, highlighting compliance impacts upon approval.
    • Automated Approvals: Configure automatic approval triggers based on risk ratings or associated policies.

    Key Outcomes

    When a vulnerability is identified, the remediation owner can request a policy exception to delay patch deployment for testing. The compliance manager oversees the approval process, which includes:

    • Assigning a risk rating and analyzing the policy exception.
    • Gathering necessary information and performing assessments if configured.
    • Utilizing approval rules to manage the approval workflow effectively, ensuring that high-risk exceptions are escalated as needed.

    Once approved, the policy exception is active, deferring the patching activity until the expiration date, at which point the vulnerable item will revert to an Open state.

    Starting with Version 10.1, you can request policy exceptions using the GRC policy exception management capability inherent in the Policy and Compliance Management application from within version 10.3 of the Vulnerability Response application.

    Benefits of using the Policy Exception Integration

    Requesting exceptions using the policy exception integration with Policy and Compliance Management provides the following benefits:
    • Perform assessments to gather additional information about the requests.
    • Request exceptions based on a specific policy or control objective. This action shows the effects on compliance when an exception is approved.
    • Configure approvals to be triggered automatically based on the risk rating, policy, or control objective associated with the policy exception.

    How the Policy Exception Integration works

    The scenario described here assumes that a vulnerability has been identified in your system and your remediation owner has determined that a software patch is needed. The patch has not been fully tested and the owner is requesting a policy exception to defer deployment of the patch until testing is complete.
    The following diagram illustrates the steps performed by the compliance manager and the remediation owner in each of the applications.
    Figure 1. Policy Exception integration
    Policy exception integration workflow
    Note:
    The GRC business user (sn_grc.business_user) or business user – lite (sn_grc.business_user_lite) is the minimum required role to raise a policy exception from an upstream application.
    1. When the Vulnerability Response application was installed, two policy exception integration records are automatically created and added to the Integration Registry, one for a vulnerability group and one for a vulnerable item.
      Figure 2. Policy exception integration register
      Policy exception integration Register.
      To configure the vulnerable item record, the compliance manager performs the following steps.
      1. Identifies the mapping of tables used to integrate the two applications.
      2. Defines reasons for requesting exceptions.
      3. (optionally) Defines policy categories for filtering policies
      4. (optionally) Creates one or more questionnaires to be sent to the requester to gather additional information about the policy exception request.
    2. The compliance manager also defines optional verification rules and approval rules to automate the process of getting approvals for the policy exception.
    3. In Vulnerability Response, the remediation owner Request an exception using GRC: Policy and Compliance Management .
    4. If a verification rule was defined for the application, the designated approvers are notified that their approval is required. If any fields in the policy exception request were not filled in by the requester (for example, the Policy or Control Objective), those fields become mandatory for the approvers. When the approvers have reviewed, completed, and approved the request, it transitions to the Analyze state and is assigned to the compliance manager for further analysis and approval.
    5. In Policy and Compliance Management, the compliance manager receives the approved request, and assigns a risk rating to the policy exception request on the Risk assessment tab.
      Figure 3. Policy exception request on the Risk assessment tab
      Risk assessment

      When the policy exception record is saved, information in the Source tab, including the source application and source record, as well as information in the Vulnerable Items related list are auto-populated. The compliance manager now has access to all the data needed to review and approve the policy exception.

    6. In Policy and Compliance Management, the compliance manager performs the exception assessment, if assessments were configured. When the assessment is completed, the compliance manager returns to the Risk assessment tab and updates the Risk rating based on the findings of the assessment, if needed. The compliance manager also populates the following fields with information gathered during the assessment.
      Table 1. Risk assessment tab
      Field Description
      Risk description Provide details about the risk associated with this policy exception.
      Analysis of risk and impact Provide details about your analysis of the risk and impact to the policy exception.
      Risk mitigation plan Provide details about the mitigation plan associated with this policy exception.
    7. If the policy exception is missing any information, the compliance manager can click Request More Information and add comments to identify the type of data needed. The requester is notified and provides the requested information.
    8. Optionally, the compliance manager can send the policy exception out for an additional in-house review before approving it by clicking Request Review.
      Note:
      Prior to requesting a review, ensure that the Impacted Controls related list contains the controls that are impacted by the policy exception. Simply open the related list, click Add, and select the controls.
    9. If the policy exception is of a particularly high risk, and the compliance manager believes that approval should come from someone higher in the organization (for example, the CIO), the compliance manager can click Request Approval.
      Otherwise, approval is performed in the following scenarios.
      Approval rule defined Effect on approval
      If an approval rule was not defined for Vulnerability Response Selecting Approved causes the policy exception to be approved.
      If an approval rule was defined, but the Auto-trigger check box was not selected You can click Request Approval to send the policy exception to the users or groups defined in the rule. For example, an approval rule may indicate that when the policy exception is based on a particular policy, a certain set of users or groups are notified that they need to provide approval for the policy exception. Or, an approval rule may be defined so that any policy exception with a risk rating of Critical is automatically sent to a certain set of approvers.

      The number of approvers necessary to approve the policy exception depends on the setting in the Required Approval field in the rule.

      You can also click Approve to approve the policy exception yourself.
      If an approval rule was defined, and the Auto-trigger check box was selected Clicking the Approve button causes the approval rule to be executed and the policy exception is automatically sent to the users or groups defined by the rule for approval. Auto-trigger causes this step to be mandatory. When approvals are received, the policy exception goes into effect.
    10. In Vulnerability Response, after the approvals have been received, the policy exception becomes active and the patching activity on the vulnerable item is deferred until the policy exception expires. When the Valid until date is reached, the policy exception expires and the state of the vulnerable item changes from Deferred to Open.