84 lines
2.9 KiB
Markdown
84 lines
2.9 KiB
Markdown
Title: Exception Management Procedure
|
|
Document ID: [PROC-EXCEPTION-001]
|
|
Version: 0.1 Draft
|
|
Status: Draft
|
|
Owner: CISO (Paul Jenkins)
|
|
Approver: CISO (Paul Jenkins)
|
|
Classification: Internal
|
|
Effective date: [DD Month YYYY]
|
|
Review date: [DD Month YYYY]
|
|
|
|
# Exception Management Procedure
|
|
|
|
## Purpose
|
|
|
|
This procedure defines how BlackDice should request, assess, approve, record, review, and close exceptions to required security controls.
|
|
|
|
## Scope
|
|
|
|
This procedure applies to proposed deviations from approved policies, standards, procedures, or mandatory security requirements within the ISMS scope.
|
|
|
|
## Trigger / When Used
|
|
|
|
Use this procedure when:
|
|
|
|
- a control requirement cannot be met
|
|
- a temporary deviation is needed for operational or technical reasons
|
|
- a compensating control is proposed in place of the standard requirement
|
|
|
|
## Procedure Steps
|
|
|
|
1. Submit an exception request describing the requirement affected, rationale, affected assets or services, duration, and proposed compensating controls.
|
|
2. Confirm the request is complete and identify the relevant owner, approver, and impacted stakeholders.
|
|
3. Assess the security, operational, customer, compliance, and resilience risk associated with the exception.
|
|
4. Determine whether the exception can be accepted, requires additional controls, or should be rejected.
|
|
5. Record the decision, approval, conditions, expiry date, and review date.
|
|
6. Implement any required compensating controls or follow-up actions.
|
|
7. Review open exceptions at defined intervals or when conditions change.
|
|
8. Close the exception when the underlying issue is remediated or the exception expires without renewal.
|
|
|
|
## Inputs
|
|
|
|
- exception request
|
|
- affected control requirement
|
|
- risk assessment information
|
|
- proposed compensating controls
|
|
|
|
## Outputs / Records
|
|
|
|
- exception decision record
|
|
- approved conditions and expiry date
|
|
- linked risk or remediation actions
|
|
- closure record
|
|
|
|
## Roles and Responsibilities
|
|
|
|
- Requesters must provide accurate justification and proposed mitigation.
|
|
- [Role] must coordinate exception review and record management.
|
|
- Approvers must evaluate risk and determine whether the exception is acceptable.
|
|
- Control owners must implement agreed compensating controls.
|
|
|
|
## Escalation / Exceptions
|
|
|
|
Escalate where:
|
|
|
|
- the exception affects production, customer, or regulated data handling
|
|
- no compensating control is available
|
|
- the exception becomes long-term or repeatedly renewed
|
|
- disagreement exists over residual risk
|
|
|
|
This procedure governs exceptions; no additional procedural exception is needed beyond documented emergency handling.
|
|
|
|
## Related Documents
|
|
|
|
- Information Security Policy
|
|
- Risk Assessment and Treatment Methodology
|
|
- Risk Assessment Procedure
|
|
- Security Exceptions Register Template
|
|
|
|
## Version Control
|
|
|
|
| Version | Date | Description of Change | Author |
|
|
| --- | --- | --- | --- |
|
|
| 0.1 Draft | [DD Month YYYY] | Initial draft. | [Name or Role] |
|