Exception Management in Application Vulnerability Response
Summarize
Summarized using AI
This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.
Summary of Exception Management in Application Vulnerability Response
Exception Management in Application Vulnerability Response (AVR) allows your organization to formally request, review, approve, or reject exceptions when an Application Vulnerable Item (AVI) cannot be remediated in compliance with security policies, standards, or guidelines. Exceptions acknowledge the risks of deferring remediation, typically due to unavailable patches or fixes, enabling controlled risk acceptance within your vulnerability management process.
Show less
Requesting and Managing Exceptions
- Requesting Exceptions: Developers can request exceptions for AVIs or remediation tasks directly from the Vulnerability Manager Workspace or IT Remediation Workspace to defer remediation for a specified period.
- Exception Lifecycle: When an exception request is submitted, the AVI status changes to In-Review. If not approved within the configured time frame, the status reverts to Open.
- Approval Process: Exception requests undergo risk assessment and approval by application security analysts. Approval can involve single or two-level approvers, depending on your configuration.
- Tracking and Actions: Exceptions can be tracked via the State Change Approvals tab on the AVI record. Post-approval, exceptions can be reopened or reviewed for more details.
- Expiry and Extensions: When an exception expires, the AVI returns to Open. Starting in version 20, you can request extensions to the deferral period, which require two-level approvals and must include a justification.
Exception Rules and Automation
- Exception Rules: From version 20 onward, you can create rules to automatically defer remediation of AVIs matching specific conditions, reducing manual effort and minimizing risks of missing SLAs.
- Extension of Exception Rules: You can request extensions to the Deferred until date on exception rules, useful when many AVIs are unresolved by the original deferral date.
Configuration and Integration
- Approval Configuration: Use Flow Designer (enabled by default from v15.0) to configure approval workflows for exceptions and false positives.
- Exception Duration and Questionnaires: Limit exception durations and add questionnaires to exception requests to capture necessary information during submission.
- Approver Management: Add users to exception approver groups to enable exception request and approval capabilities.
- Integration with GRC: Exceptions can also be requested through the GRC: Policy and Compliance Management integration.
- Deferral State: Starting with version 20, remediation can be deferred using the Awaiting Implementation state, which can be set manually for AVIs and remediation tasks in the Under Investigation state.
Benefits for ServiceNow Customers
- Enables structured risk acceptance and management when remediation is not immediately possible.
- Automates exception handling through rules, reducing manual workload and helping meet service levels.
- Improves visibility and control over exception requests with tracking and approval workflows.
- Integrates seamlessly with existing ServiceNow Vulnerability Manager and IT Remediation Workspaces.
- Supports compliance with organizational policies while acknowledging and managing residual risks effectively.
When your organization can't comply with a published vulnerability management or security policy, standard, or guideline, you can request an exception. Exception management entails requesting, reviewing, approving, or rejecting exceptions to an application vulnerable item (AVIT) that cannot be remediated according to the policy.
Some vulnerabilities might not have an existing patch, fix, or solution. When an exception is approved, it also means that you're accepting a risk because you're acknowledging and agreeing to the consequences of not remediating the vulnerability.
Note:
Starting from v21.0 of Application Vulnerability Response, you can configure the time frames for approving false positives and exceptions, along with email notifications for both the approver and requester after a set number of days. When a request is raised, the application vulnerable item changes to In-Review status and a state change record is created. If the approver doesn't respond within the configured time frame, the application vulnerable item or remediation task reverts to Open status. The previous state is stored in the backup_state field. For more information, see Configure approval rules for Exception Management.
Life cycle of an exception
- Definition of an exception
- An exception is a request to defer the remediation of an AVI for a specified period. For example, as a developer, you can request an exception if a patch is not available for a machine.
- Requesting an exception
- As the developer, you can ask for an exemption for an AVI using the exception management process. After the application security analyst approves this request, the AVI moves to Deferred state.Important:You can request exceptions for AVTIs and RTs from the Vulnerability Manager Workspace and IT Remediation Workspace respectively. For more information, see Request exceptions for remediation tasks and records in the Vulnerability Manager Workspace and Request an exception in the IT Remediation Workspace.
- Exception rules
- Starting with v20, you can create exception rules to automatically defer existing and new application vulnerable items (AVI)s for a specific period if they match the conditions of the rule. Using exception rules to automatically defer AVIs minimizes the risk of missing service level agreements. The rules can help you manage multiple items, because you are eliminating manual intervention. See Create an Exception rule.
- Requesting an extension for an exception rule
- Starting with v20, you can submit a request for an extension to the Deferred until date of an exception rule. You might request an extension to a rule if you find that a large number of records created by the rule are not being resolved by its Deferred until date, the date when the remediation task stops accepting new AVIs. The extension updates the exception rule so it automatically extends the deferral date on your existing rule. You can enter dates up to one year from the current date, and you must include a reason for the extension. An extension request requires two-level approval from separate approval groups.
- Approving an exception request
- AVITs that can't be remediated immediately are reviewed by application security analysts, assessed for risk, and approved for deferral until they can be remediated. Approving an exception request can be a two-level
flow. If only the first-level approver is present, the exception can be requested and approved. However, if there's no first-level approver, an exception can't be requested. See Add an exception approver for Application Vulnerability Response for more information.Important:You can approve or reject exception requests in the Vulnerability Manager Workspace. For more information, see Approve or reject requests in the Vulnerability Manager Workspace.
Note:
After an exception request for an AVIT is approved, you can perform the following actions:
- Reopen
- Get more details
- Tracking an exception request
- After raising the exception, you can track its status by using the State Change Approvals tab of the AVIT.
- Expiry of an exception request and requesting an extension to an exception rule
- When an exception request for a particular AVI expires, the impacted AVI reverts to its Open state.
However, starting with v20, you can submit a request to extend the Deferred until date on the exception rule.