Purpose #
The purpose of this policy is to ensure that exceptions to security policies are documented and approved through a formal exception process.
Scope: This policy applies to all published Nested Knowledge information security policies. Employees and contractors must abide by this exception process.
Policy #
An exception to an information security policy may be granted in the following cases:
- The implicated system does not have the capacity to comply with the relevant security standard.
- Immediate compliance would disrupt critical business
- A more secure or superior solution exists
- Compliance would adversely affect business operations
- A lawsuit or investigation requires exception to the relevant security policy.
- Compliance would cause a major adverse financial loss
- An emergency situation requires violation of the relevant security policy.
To Request an Exception:
Email or slack the information security team to request an exception. You request must contain the following information:
- Your name
- The implicated policy.
- The device or application affected by the request.
- Data classification category of the associated systems.
- The rationale for non-compliance with the policy.
- Duration of non-compliance expected.
- Assessment of risks.
- Controls in place to mitigate risks.
Compliance #
Policy exception requests will be reviewed monthly or as they occur.
Revision History #
| Author | Date of Revision/Review | Comments/Description |
|---|---|---|
| K. Cowie | 10/31/2024 | Revised |
| K. Cowie | 02/07/2023 | Draft Completed |
