Exception Management Overview

  • Release version: Zurich
  • Updated August 1, 2025
  • 2 minutes to read
    • Summarize
    Summarized using AI
    This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.

    Summary of Exception Management Overview

    Exception Management in ServiceNow Zurich release enables organizations to request, review, approve, or reject exceptions when they cannot comply with published security findings, policies, standards, or guidelines. This process is crucial when remediation is not possible due to the absence of a patch, fix, or solution, and approval of an exception involves accepting the associated risk.

    Show full answer Show less

    Administrators manage and configure exception cases within the Security Exposure Management Administration Console, accessible under Workspaces > Security Exposure Management Workspace > Administration > Exception Management. The platform supports exception management across four key applications: Vulnerability Response, Configuration Compliance, Application Vulnerability Response, and Container Vulnerability Response.

    Key Features

    • Exception Lifecycle Management: Users can request exceptions to defer remediation for a specified time, especially when no immediate fix is available.
    • Exception Request and Approval: Remediation owners submit exception requests reviewed by vulnerability managers or business analysts. Approval workflows can be multi-level and require configured approvers. If no approver is set, requests cannot be submitted.
    • Tracking and Expiry: Exception requests can be tracked via the Change Approvals tab on findings or remediation tasks. Upon expiry, exceptions revert findings or tasks to an Open state for remediation.
    • Role-based Access: Specific approver roles are required within the Security Exposure Management Workspace to manage approvals effectively.
    • Smart Assessment Integration: Advanced questionnaires can be configured to collect detailed information during exception requests, aiding informed decision-making by approvers.
    • Deferring and Extending Remediation Tasks: Users can request exceptions to defer remediation tasks safely and request extensions before deferred due dates.
    • False Positive Requests: The system supports flagging false positives, which are incorrect scanner findings, helping maintain accurate vulnerability data.

    What Customers Can Expect

    ServiceNow’s Exception Management provides a structured and configurable way to handle cases where immediate remediation isn’t feasible, ensuring risk is acknowledged and managed. Customers benefit from clear workflows for requesting and approving exceptions, integrated tracking, and enhanced data collection through smart questionnaires. This improves compliance management flexibility and supports risk-aware decision-making within security operations.

    When your organization can't comply with a published finding or security policy, standard, or guideline, you can request an exception. Exception management entails requesting, reviewing, approving, or rejecting exceptions to a finding or remediation task (RT) that can’t be remediated.

    Some findings might not have an existing patch, fix, or solution. When an exception is approved, it also means that you're accepting a risk because you're acknowledging and agreeing to the consequences of not remediating the finding.

    Exception Management provides administrators the ability to handle, configure, and review exception cases within the Security Exposure Management Administration Console. You can navigate to Exception Management from the Workspaces > Security Exposure Management Workspace > Administration > Exception Management.

    In the Exception Management landing page, you can view the exception management configurations for all the four apps- Vulnerability response, Configuration compliance, Application Vulnerability Response, and Container Vulnerability Response. You can create a new questionnaire or to design your own questionnaire using the templates available in the smart assessment workspace to help review the exception requests for the Vulnerability Manager, Business Unit Head, or Service Owners.

    You can personalize the columns and rows with the help of the setting icon on the right.

    The Life-cycle of an exception

    Definition of an exception
    An exception is a request to defer the remediation of a finding or remediation task for a specified period. For example, as a remediation owner, you can request an exception if a patch isn’t available for a machine.
    Requesting an exception
    As the remediation owner, you can ask for an exemption for a finding or remediation task using the exception management process. After the exception approver approves this request, the finding or remediation task moves to a Deferred state.
    Approving an exception request
    Findings or remediation tasks that can't be remediated immediately are reviewed by a vulnerability manager or business analyst, assessed for risk, and approved for deferral until they can be remediated. Approval rules for Exception Management are determined based on the configured approvers and approver levels. Once the required approvals are obtained, the request state transitions according to the type of request. If defined, Exception requests can follow a multi-level approval workflow. If no approver is configured for a specific request type, the request can’t be submitted. Approvals are typically carried out by the Vulnerability Manager or by Business Users who have been assigned the appropriate Approver role.
    Tracking an exception request
    After raising the exception, you can track its status by using the Change Approvals tab of the finding or remediation task. If an action is taken on a remediation task, you can't track the status of the individual findings in that remediation task.
    Expiry of an exception request
    When an exception request for a particular finding or remediation task expires, the impacted finding or remediation task reverts to its Open state.