Policy Exception Integration with Vulnerability Response

  • Release version: Yokohama
  • Updated January 30, 2025
  • 5 minutes to read
    • Summarize
    Summarized using AI
    This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.

    Summary of Policy Exception Integration with Vulnerability Response

    Starting with Vulnerability Response version 10.3 and Policy and Compliance Management version 10.1, ServiceNow enables customers to request policy exceptions directly through an integrated process between these applications. This integration allows remediation owners to defer patch deployment when necessary by formally requesting exceptions that undergo a structured assessment, approval, and risk evaluation workflow within the Governance, Risk, and Compliance (GRC) framework.

    Show full answer Show less

    Key Features

    • Policy Exception Requests: Remediation owners can request exceptions tied to specific policies or control objectives, with the impact on compliance clearly visible.
    • Automated and Configurable Approvals: Approval workflows can be triggered automatically based on risk ratings, policies, or control objectives, streamlining governance.
    • Assessment and Information Gathering: Compliance managers can define questionnaires and assessments to collect additional data from requesters, ensuring thorough risk analysis.
    • Integrated Roles and Permissions: Minimum role requirements (such as sngrc.businessuser) ensure proper access controls for raising policy exceptions.
    • Predefined Integration Records: Upon installation, integration records for vulnerability groups and items are created and configurable by compliance managers to tailor the process.

    Process Workflow

    The typical scenario begins with a vulnerability detection and a remediation owner identifying a necessary patch that requires deferred deployment. The remediation owner initiates a policy exception request using the integrated GRC capability. The request progresses as follows:

    • Approval notifications are sent to designated approvers based on configured verification rules.
    • Approvers complete mandatory fields if missing, review, and approve requests, moving them into an analysis phase.
    • The compliance manager assigns a risk rating, reviews auto-populated source and vulnerability data, and conducts risk assessments including risk descriptions, impact analysis, and mitigation plans.
    • If additional information or reviews are needed, the compliance manager can request these from the requester or other stakeholders.
    • Final approval can be manual or automated via approval rules, with escalation options available for high-risk exceptions.
    • Once approved, the policy exception activates in Vulnerability Response, deferring patching until the exception expires on the specified date.

    Practical Benefits for ServiceNow Customers

    • Improved Compliance Management: Understand compliance impacts of exceptions and manage approvals with configurable automation.
    • Risk-Informed Decision Making: Access comprehensive risk assessments and mitigation plans before approving exceptions.
    • Streamlined Exception Handling: Facilitate communication and data collection between remediation owners and compliance managers within a single integrated workflow.
    • Control Over Vulnerability Remediation Timelines: Legally defer patching activities while maintaining governance and transparency.

    Starting with Version 10.1, you can request policy exceptions using the GRC policy exception management capability inherent in the Policy and Compliance Management application from within version 10.3 of the Vulnerability Response application.

    Benefits of using the Policy Exception Integration

    Requesting exceptions using the policy exception integration with Policy and Compliance Management provides the following benefits:
    • Perform assessments to gather additional information about the requests.
    • Request exceptions based on a specific policy or control objective. This action shows the effects on compliance when an exception is approved.
    • Configure approvals to be triggered automatically based on the risk rating, policy, or control objective associated with the policy exception.

    How the Policy Exception Integration works

    The scenario described here assumes that a vulnerability has been identified in your system and your remediation owner has determined that a software patch is needed. The patch has not been fully tested and the owner is requesting a policy exception to defer deployment of the patch until testing is complete.
    The following diagram illustrates the steps performed by the compliance manager and the remediation owner in each of the applications.
    Figure 1. Policy Exception integration
    Policy exception integration workflow
    Note:
    The GRC business user (sn_grc.business_user) or business user – lite (sn_grc.business_user_lite) is the minimum required role to raise a policy exception from an upstream application.
    1. When the Vulnerability Response application was installed, two policy exception integration records are automatically created and added to the Integration Registry, one for a vulnerability group and one for a vulnerable item.
      Figure 2. Policy exception integration register
      Policy exception integration Register.
      To configure the vulnerable item record, the compliance manager performs the following steps.
      1. Identifies the mapping of tables used to integrate the two applications.
      2. Defines reasons for requesting exceptions.
      3. (optionally) Defines policy categories for filtering policies
      4. (optionally) Creates one or more questionnaires to be sent to the requester to gather additional information about the policy exception request.
    2. The compliance manager also defines optional verification rules and approval rules to automate the process of getting approvals for the policy exception.
    3. In Vulnerability Response, the remediation owner Request an exception using GRC: Policy and Compliance Management .
    4. If a verification rule was defined for the application, the designated approvers are notified that their approval is required. If any fields in the policy exception request were not filled in by the requester (for example, the Policy or Control Objective), those fields become mandatory for the approvers. When the approvers have reviewed, completed, and approved the request, it transitions to the Analyze state and is assigned to the compliance manager for further analysis and approval.
    5. In Policy and Compliance Management, the compliance manager receives the approved request, and assigns a risk rating to the policy exception request on the Risk assessment tab.
      Figure 3. Policy exception request on the Risk assessment tab
      Risk assessment

      When the policy exception record is saved, information in the Source tab, including the source application and source record, as well as information in the Vulnerable Items related list are auto-populated. The compliance manager now has access to all the data needed to review and approve the policy exception.

    6. In Policy and Compliance Management, the compliance manager performs the exception assessment, if assessments were configured. When the assessment is completed, the compliance manager returns to the Risk assessment tab and updates the Risk rating based on the findings of the assessment, if needed. The compliance manager also populates the following fields with information gathered during the assessment.
      Table 1. Risk assessment tab
      Field Description
      Risk description Provide details about the risk associated with this policy exception.
      Analysis of risk and impact Provide details about your analysis of the risk and impact to the policy exception.
      Risk mitigation plan Provide details about the mitigation plan associated with this policy exception.
    7. If the policy exception is missing any information, the compliance manager can click Request More Information and add comments to identify the type of data needed. The requester is notified and provides the requested information.
    8. Optionally, the compliance manager can send the policy exception out for an additional in-house review before approving it by clicking Request Review.
      Note:
      Prior to requesting a review, ensure that the Impacted Controls related list contains the controls that are impacted by the policy exception. Simply open the related list, click Add, and select the controls.
    9. If the policy exception is of a particularly high risk, and the compliance manager believes that approval should come from someone higher in the organization (for example, the CIO), the compliance manager can click Request Approval.
      Otherwise, approval is performed in the following scenarios.
      Approval rule defined Effect on approval
      If an approval rule was not defined for Vulnerability Response Selecting Approved causes the policy exception to be approved.
      If an approval rule was defined, but the Auto-trigger check box was not selected You can click Request Approval to send the policy exception to the users or groups defined in the rule. For example, an approval rule may indicate that when the policy exception is based on a particular policy, a certain set of users or groups are notified that they need to provide approval for the policy exception. Or, an approval rule may be defined so that any policy exception with a risk rating of Critical is automatically sent to a certain set of approvers.

      The number of approvers necessary to approve the policy exception depends on the setting in the Required Approval field in the rule.

      You can also click Approve to approve the policy exception yourself.
      If an approval rule was defined, and the Auto-trigger check box was selected Clicking the Approve button causes the approval rule to be executed and the policy exception is automatically sent to the users or groups defined by the rule for approval. Auto-trigger causes this step to be mandatory. When approvals are received, the policy exception goes into effect.
    10. In Vulnerability Response, after the approvals have been received, the policy exception becomes active and the patching activity on the vulnerable item is deferred until the policy exception expires. When the Valid until date is reached, the policy exception expires and the state of the vulnerable item changes from Deferred to Open.