One Article Review
| Source |  NoticeBored |
|---|---|
| Identifiant | 1502077 |
| Date de publication | 2020-01-21 08:49:54 (vue: 2020-01-21 06:15:29) |
| Titre | NBlog Jan 21 - exceptions vs exemptions |
| Texte |  In the context of information risk and security management, I define and use the terms "exemption" and "exception" quite deliberately.“Exceptions” are unauthorized non-conformance or non-compliance situations. For example if the organization has a policy to use multi-factor authentication for all privileged system accounts, a privileged account that only has single-factor auth for some reason (maybe an oversight or a practical issue) would constitute an exception, something that has not [yet] been officially notified to, risk-assessed and accepted, authorized, permitted or granted by management. Depending on the circumstances and the nature of the information risks, identified exceptions may be classed as issues or events, perhaps even incidents worth reporting and managing as such.“Exemptions” are where management has formally considered and risk-assessed non-conformance or non-compliance situations and explicitly authorized or agreed that they should continue – perhaps with compensating controls, for a defined limited period, and with clear accountability for the associated risks. So, for instance, the information risks associated with only having single-factor auth on a test system may be acceptable to management if the control costs are deemed excessive in that situation … but the exemption might be only for the duration of the testing, and on the condition that the test system only has access to test data not live/production data, with the Test Manager accepting personally accountability for the associated information risks. Exemptions do not constitute issues, events or incidents unless: The situation at hand varies substantially from that authorized e.g. if the compensating controls are not actually in operation, or if the authorized exemption period has expired (yes, even exemptions have to be complied with ... perhaps implying the need for compliance checks and other control measures if the information risks are significant);The information risks are materially different from those accepted e.g. if |
| Envoyé | Oui |
| Condensat | conventional depending exemptions so the ;the acceptable accepted accepting accepts access according account accountability accounts action activities actually agreed air all amount applied appropriate are assessed associated auth authentication authorization authorization: authorized been between both but checks circumstances classed clear comes compensating compliance complied condition conformance considered constitute context continue control controls corrective costs critical data deemed define defined deliberately demanding different differing distinction down duration evaluating even events example exception exceptions excessive exemption exemptions expired explicitly fact factor fall floating formally from governance granted hand has have having hold identified identifying implicitly implies implying incidents individual information instance issue issues jan knowledge left limited live/production management manager managing materially may maybe means measures mid might misstated/misrepresented misunderstood multi multifactor nature nblog need non not notified obligations occurred officially only operation organization other oversight perhaps period permitted personally policy practical prevented privileged processes quite rationally reason reporting revisit risk risks security severally should significant since single situation situations some someone something substantially such suggests system terms test testing them those treating ultimately unauthorized unless: the use varies when where whereas which whole within worth would yet “exceptions” “exemptions” |
| Tags | |
| Stories | |
| Notes | |
| Move | 
|
L'article ne semble pas avoir été repris aprés sa publication.
L'article ne semble pas avoir été repris sur un précédent.