CCC-08: Exception Management

Info icon.

Control is new to this version of the control set.

Control Statement

'Implement a procedure for the management of exceptions, including emergencies, in the change and configuration process. Align the procedure with the requirements of GRC-04: Policy Exception Process.'

Implementation Guidance

The procedure for exceptions’ management should include, but is not limited to:

  1. Change management baselines
  2. Unauthorized assets
  3. Evidence collection and management

Auditing Guidance

  1. Verify that the organization establishes and documents mandatory configuration settings for information technology products employed within the information system, as determined by adoption of the latest suitable security configuration baselines.
  2. Confirm that the process identifies, documents, and approves exceptions from the mandatory established configuration settings for individual components based on explicit operational requirements.
  3. Determine that the organization monitors and controls changes to the configuration settings in accordance with organizational policy and procedures.

[csf.tools Note: For more information on the Cloud Controls Matrix, visit the CSA Cloud Controls Matrix Homepage.]

Cloud Control Matrix is Copyright 2023 Cloud Security Alliance.