Initial commit
This commit is contained in:
Paul Jenkins
83
03-procedures/exception-management-procedure.md
Normal file
83
03-procedures/exception-management-procedure.md
Normal file
@@ -0,0 +1,83 @@
|
||||
Title: Exception Management Procedure
|
||||
Document ID: [PROC-EXCEPTION-001]
|
||||
Version: 0.1 Draft
|
||||
Status: Draft
|
||||
Owner: CISO (Paul Jenkins)
|
||||
Approver: CISO (Paul Jenkins)
|
||||
Classification: Internal
|
||||
Effective date: [DD Month YYYY]
|
||||
Review date: [DD Month YYYY]
|
||||
|
||||
# Exception Management Procedure
|
||||
|
||||
## Purpose
|
||||
|
||||
This procedure defines how BlackDice should request, assess, approve, record, review, and close exceptions to required security controls.
|
||||
|
||||
## Scope
|
||||
|
||||
This procedure applies to proposed deviations from approved policies, standards, procedures, or mandatory security requirements within the ISMS scope.
|
||||
|
||||
## Trigger / When Used
|
||||
|
||||
Use this procedure when:
|
||||
|
||||
- a control requirement cannot be met
|
||||
- a temporary deviation is needed for operational or technical reasons
|
||||
- a compensating control is proposed in place of the standard requirement
|
||||
|
||||
## Procedure Steps
|
||||
|
||||
1. Submit an exception request describing the requirement affected, rationale, affected assets or services, duration, and proposed compensating controls.
|
||||
2. Confirm the request is complete and identify the relevant owner, approver, and impacted stakeholders.
|
||||
3. Assess the security, operational, customer, compliance, and resilience risk associated with the exception.
|
||||
4. Determine whether the exception can be accepted, requires additional controls, or should be rejected.
|
||||
5. Record the decision, approval, conditions, expiry date, and review date.
|
||||
6. Implement any required compensating controls or follow-up actions.
|
||||
7. Review open exceptions at defined intervals or when conditions change.
|
||||
8. Close the exception when the underlying issue is remediated or the exception expires without renewal.
|
||||
|
||||
## Inputs
|
||||
|
||||
- exception request
|
||||
- affected control requirement
|
||||
- risk assessment information
|
||||
- proposed compensating controls
|
||||
|
||||
## Outputs / Records
|
||||
|
||||
- exception decision record
|
||||
- approved conditions and expiry date
|
||||
- linked risk or remediation actions
|
||||
- closure record
|
||||
|
||||
## Roles and Responsibilities
|
||||
|
||||
- Requesters must provide accurate justification and proposed mitigation.
|
||||
- [Role] must coordinate exception review and record management.
|
||||
- Approvers must evaluate risk and determine whether the exception is acceptable.
|
||||
- Control owners must implement agreed compensating controls.
|
||||
|
||||
## Escalation / Exceptions
|
||||
|
||||
Escalate where:
|
||||
|
||||
- the exception affects production, customer, or regulated data handling
|
||||
- no compensating control is available
|
||||
- the exception becomes long-term or repeatedly renewed
|
||||
- disagreement exists over residual risk
|
||||
|
||||
This procedure governs exceptions; no additional procedural exception is needed beyond documented emergency handling.
|
||||
|
||||
## Related Documents
|
||||
|
||||
- Information Security Policy
|
||||
- Risk Assessment and Treatment Methodology
|
||||
- Risk Assessment Procedure
|
||||
- Security Exceptions Register Template
|
||||
|
||||
## Version Control
|
||||
|
||||
| Version | Date | Description of Change | Author |
|
||||
| --- | --- | --- | --- |
|
||||
| 0.1 Draft | [DD Month YYYY] | Initial draft. | [Name or Role] |
|
||||
Reference in New Issue
Block a user