GDPR, LPM, NIS... Companies today are subject to an increasing number of regulatory and compliance frameworks. While these rules are essential to ensuring a high level of security within the organization, they can sometimes hinder the smooth running of operations.
But then how should you handle a situation that does not comply with the company's information system security policy (ISSP) or one of the many applicable regulations? What is an exemption? And above all, how can you set up an exemption management system in a company?
What is an exemption?
A waiver can be defined as an exceptional authorization or temporary exemption granted to deviate from the rules or policies established within the organization.
For Baptiste David, PreSales and Delivery Manager at Tenacy, " the exemption is a non-application of a security measure. "
A concrete example of this need for exceptions can be seen in the management of corporate internet access policy: it is not uncommon for IT departments to block access to recreational sites such as Facebook within companies, for fear of sensitive information leaks or malware infection. While legitimate, this blanket restriction systematically impacts communications and marketing teams, who legitimately use social media. It is in this scenario that exemptions allowthe company's security policy to be adapted to specific needs.
Another example of an exception concerns the management of administrator rights within an organization. As a general rule, employees do not have rights to administer their workstations. However, in certain situations, users may need administrator rights to install or update software. Here again, the exception allows the rule to be adapted to the situation.
It should be noted that exemptions are not limited solely to the individual needs of users. They can also apply at a hierarchical level, such as to a department or division—the famous VIPs.
Is it mandatory to use exemptions?
Exceptions are not strictly mandatory, but it should be noted that certain regulations require them. From a risk management perspective, the absence of exception management may be a sign that the company is not taking into account all potential scenarios and the specific needs of its users.
The latter, who are often creative in their needs, may find justifications for not complying with established policies—or even circumvent the problem by using software tools that are not approved by the IT department. Good exception management involves asking the question "why" behind each request for an exception.
For Baptiste David, "in this case, the exemptions aim to distinguish legitimate needs from illegitimate ones, while ensuring the security of the company and preventing unauthorized circumvention." An increase in requests that requires companies to implement an exemption management system.
Why implement an exemption management system?
Establish a regulatory framework
An exemption management system allows you to:
- receive applications for opening;
- keep a record of exchanges in order to enhance transparency and accountability for all parties.
This centralization allows IT teams to monitor and take into account any changes with regard to the company's security policy.
Facilitate audits
By having a tool that centralizes previous exemption requests, the company can demonstrate in a transparent and documented manner how it manages these exceptions.
When an auditor asks questions about how exceptions are handled, the company can provide tangible evidence of its exception process, demonstrating its commitment to compliance and safety. Without this documentation, the company may have to consolidate information, which can complicate and prolong the audit process while increasing stress levels among teams.
Avoid penalties
The absence of a system for managing exceptions can have serious consequences for a company. In the event of an audit, the company may be criticized for a lack of monitoring and documentation, which can result in penalties such as fines or loss of certification.
It should be noted that certification, such as ISO 27001, has become a mark of trust and a prerequisite when choosing a service provider. Losing this certification can damage a company's reputation and compromise its ability to secure contracts or even respond to calls for tenders.
How to set up an exemption management system with Tenacy?
Tenacy offers powerful features designed to simplify and optimize the management of exemptions.
Implement an easy-to-use tool
With Tenacy, a user can submit a waiver request via ticket, indicating the reasons for and duration of the exception. The approver can then accept or reject the request, adding an expiration date. This transparent collaboration ensures that all stakeholders have the same level of knowledge.
Organize follow-up
The Tenacy platform ensures that each exception is tracked and traceable. This traceability includes dates, people involved, the subject of the exception, and the period of validity. It is important to note that exceptions are generally temporary, which means that an end date must be specified for each exception.
In order to correlate requests with the company's security policy (PSSI), Tenacy links these two elements to provide an overview that enables decision-making on whether or not to accept the request.
Users can also add documents and comments to complete the follow-up.
Measuring performance
The use of key performance indicators (KPIs) makes it possible to assess the overall effectiveness of the exemption management process. Number of exemptions processed, unprocessed, total number of exemptions... Tenacy hasperformance indicators generated daily, providing essential information for management. To ensure that nothing is overlooked, alerts and notifications remind users when an exemption is about to expire.
A platform that goes beyond managing exemptions
Just as choosing a CRM is not limited to taking notes on a company's file, the functional scope of the Tenacy platform goes far beyond simple exception management.
This platform offers a range of features from reporting to automation, with specific features such as the integration of a compliance catalog: this allows companies to precisely target the security policies that apply to their industry.
The use of exemptions is an essential part of risk management and the application of security policy within a company. However, this cannot be done without the implementation of a reliable and effective exemption management system .
With Tenacy, managing exemptions becomes a transparent, seamless process that complies with the most stringent compliance requirements. Feel free to contact our experts to find out more!
‍
![[White paper] 5 keys to managing your cybersecurity](https://cdn.prod.website-files.com/68eccb60f9cf9c228c061b75/695f73ba996b3472b4fa4e34_visuel-tenacy%20(2).jpg)
