Security Exceptions: The Ultimate Weakness to a Secure Environment

This blog covers the risks of creating security exceptions – often overlooked, manipulated and out of control – and how to reengineer the process to maintain a secure environment.

Picture a company that’s the envy of its peers from a compliance and risk perspective. This respected firm has robust staff in its internal audit, security, risk management, and related departments. It has a fully functioning GRC system and tracks control effectiveness globally under multiple compliance frameworks.

When the company’s employees attend conferences and events, they are flooded with questions about “how they do it” or what “mature” looks like in their environment. With all these things in place, the risk of a significant breach, security control failure, or risk event should be low. However, this program has one glaring hole which occurs at nearly every company. The security exception program lacks maturity and has spiraled out of control.

What Are Security Exceptions?

A security exception is when a policy, procedure or control is temporarily bypassed, using an exception process, for business reasons. It’s an “exception to the rule” justified by the company’s business mission, so to speak. All companies have a legitimate need to grant information security exceptions. Never say never when it comes to information security, considering the unlimited ways technologies are used and how quickly they’re evolving.

Common security exceptions include:

• A firewall port must be opened, or a ruleset must be modified to support a critical business operation or application.
• A specialized vendor system was configured to enforce a user password that did not meet the organization’s password policy requirements (e.g., expiration, length, complexity).
• A proprietary business system allowed for only one admin ID, yet a team of admins supported it. This resulted in noncompliance with the policy prohibiting shared user IDs.
• Some laptop operating systems used within the organization did not support policies for USB blocking or whole-disk encryption.
• A legacy system was depended upon for business processing but did not have the options available to meet compliance with all information security policy technical requirements. For example, all users were given admin privileges in the application.
• A key business system support employee was in an accident. This required a real time exception to the access policy to allow a co-worker to use their ID and cover critical business processing requests because no backup process was in place.

Security exceptions are not explicitly addressed by any published security or control framework. This makes them easy to overlook and exclude from risk and control programs.

Risks of Creating Security Exceptions

Creating security exceptions opens new risk vectors that are difficult to manage without a formal, repeatable and scalable process. It should not be taken lightly. The following are risks of creating security exceptions:

• Weakened layers of security due to lack of thought around ripple effects.
• Poor tracking of exception expiration, leading to “permanent” exceptions.
• Absent or deficient communication to all stakeholders.
• Key controls not performed over long periods.
• Regulatory violations and associated fines and punishments.

Maintain a Secure Environment by Reengineering the Process

An effective way to identify improvements, efficiencies and automation opportunities is to revisit stale processes. This is also true for security exceptions. Mapping the current process is a great start to reengineering a new one to meet the risk mitigation needs of an organization.

1. Out With Old, in With New

Security exception listings can quickly get out of control without a refined process. Hasty approvals, missing expiration dates, and lack of tracking compensating controls creates problems. A great place to start a process-refinement analysis is to ask questions to clarify the challenges of the current security exception environment.

Working through these preliminary questions will help identify exceptions with a defined business need. Most companies find they can modify or completely discard many of their current exceptions. This exercise can immensely reduce an organization’s risk profile. While some manual investigation and stakeholder interaction may be involved, it will create future efficiencies.

2. Implementation

After redesigning a new process, implementation is the next challenge. You need to consider many things during implementation. This includes stakeholders, roles, enterprise risk management, criteria, and service level agreements. These program pillars are critical to the success of the overall information security exception management process.  You must apply them strategically and methodically for a successful implementation.

The key to success is having a security exception management process in place and consistently following it. Some components to consider include centralized exceptions, compensating controls, approvals, accountability, time limits, escalations, monitoring, renewals, and removals.

3. Risk, Oversight and Governance

Mature information security exception programs are well-defined at the governance level. They also involve regular input from subject matter experts. For example, someone who lacks proven firewall management experience should not decide on a requested exception to a firewall rule change.

Conversely, there must be a governance process to support the enterprise risk criteria of the organization. So, just because the firewall subject matter expert approves the exception from a perimeter defense perspective doesn’t mean it should be granted. The exception could increase the risk to the organization. The decision-making process should examine enterprise risk, suitable governance, subject matter expertise, and appropriate oversight.

4. Reporting and Training

It’s essential to put valuable data into stakeholders’ hands to manage the security exception process effectively. Proper reporting will help you avoid security violations and improve the process moving forward.

Ongoing reporting of exceptions should include the following items:

• Trends (root cause analysis).
• List of policies that have exceptions.
• Remediation status.
• Risk profile at any point in time.

It is unlikely that patterns will become apparent if several different manual solutions are used to handle exceptions. This is a serious deficiency, as trend analysis may only identify root causes. Sometimes, you can reduce or eliminate exceptions by modifying the process in which they occur.

Many employees view dealing with exceptions as a “necessary evil.” However, exceptions are an opportunity to provide a direct view into how well policies and standards are being followed. In some cases, they can also indicate whether overarching documents are a problem. Proper training and reporting on the process can prevent many pitfalls.

Automate Security Exceptions

With the proper systems in place, managing exceptions moves from a manual to automated process, instantly delivering value. This happens by tracking exception requests and overlaying them with the underlying assignee or program data to identify trends.

Yet, you should approach automation cautiously. Before considering automation, you must examine the current process and map out the desired process. Every business environment is different, so automation will make sense in some cases but not others. Adopt technological measures to prevent individuals from intentionally or unintentionally bypassing the new process.

Automated exception management provides an opportunity to make an unpleasant task more palatable and efficient. This can lead to a shorter time to resolution and help bend employees’ perceptions in a positive direction. More importantly, automation provides management of the tools to get ahead of requirements and better evaluate underlying policies and standards.

Here’s a brief example of how automation can greatly improve a complex security exception process. A Fortune 500 organization found that 84 percent of nearly 750 exception requests submitted in a given year received approval. This high percentage indicates it was too easy to gain approval of an exception.

Meanwhile, the organization’s security team spent roughly 40 minutes managing each exception. This created an additional $90K cost for approving exceptions – the equivalent of a full-time employee. Using a system to collect and track the data, the organization set up automatic approval thresholds and tweaked policies. They dramatically reduced the time spent managing exceptions while improving overall user experience.

Security Exceptions – The Ultimate Weakness

The reasons for nonperformance of a policy, procedure or control may include business needs, technological limits, or staffing issues. Controls and procedures are established to make organizations more secure and ensure management’s objectives are met. Creating exceptions to these rules opens a new risk vector that is difficult to control and should not be taken lightly.

Nonetheless, exceptions to information security policies are inevitable. That’s why your organization must be prepared by designing, documenting and implementing an effective information security exception management process. An effective program once rolled out or re-engineered, commonly shifts a culture.

Similar to change management, information security exception awareness requires a new set of supporting, repeatable processes. These new practices require top-to-bottom buy-in to prevent employees from bypassing the process. This is crucial for maintaining a secure environment. Equally important? The documentation and supporting processes you need to comply with a wide range of requirements.

Bottom line: every business needs a comprehensive, consistent, regularly updated policy for determining when to make security exceptions. This includes guidance on when to remove them, and protocols and instructions that are easy for stakeholders to understand and implement.