Establish and follow an approved exception process as mandated by the governance program whenever a deviation from an established policy occurs.
The exception process should be defined and approved by the management team and communicated across the organization to promote adherence. Integrate exemptions with the information security risk management process, and review organizational risks whenever a deviation from an established policy occurs.
- xamine the policy and/or procedures to determine if the policy exception process has been established.
- dentify and confirm that exceptions to policies are tracked, authorised, and evidenced.
- onfirm a review of policy exceptions takes place on a periodic basis by appropriate management.
[csf.tools Note: For more information on the Cloud Controls Matrix, visit the CSA Cloud Controls Matrix Homepage.]
Cloud Control Matrix is Copyright 2023 Cloud Security Alliance.