RGPD, LPM, NIS... Companies today are subject to more and more regulatory and compliance frameworks. While these rules are essential to guarantee a high level of security within the organization, they can sometimes hinder the fluidity of operations.
But how do you deal with a situation that does not comply with your company's information system security policy (ISSP), or with one of the many applicable regulations? What is a derogation? And above all, how can a company set up a exemptions management system?
What is a derogation?
A derogation can be defined as an exceptional authorization or temporary exemption granted to deviate from the organization's established rules or policies.
According to Baptiste David, Head of PreSales and Delivery at Tenacy, " a derogation is the non-application of a safety measure.
A concrete example of this need for derogation can be seen in the management of corporate Internet access policy: it is not uncommon to see CIOs blocking access to recreational sites such as Facebook within companies, for fear of sensitive information leaks or malware infection. While legitimate, this generalized restriction systematically impacts communications and marketing teams, who are legitimate users of social networks. This is where exemptions can help tailor a company'ssecurity policy to specific needs.
Another example of a derogation concerns the management of administrator rights within an organization. As a general rule, employees have no rights to administer their workstations. In special situations, however, users may need administrator rights to install or update software. Here again, the override allows the rule to be adapted to suit the situation.
It should be noted that exemptions are not limited to individual user needs. They can also be applied to a hierarchical level, such as a department or a management team - the so-called VIPs.
Is it compulsory to use exemptions?
exemptions are not strictly mandatory, but some regulations do require them. From a risk management point of view, the absence of exemptions may be a sign that the company is not taking into account all potential scenarios and the specific needs of its users.
The latter, often creative in their needs, may find justifications for not complying with established policies - or even for circumventing the problem by using software tools not approved by the IT department. Good management of exemptions means asking the "why" behind every exception request.
For Baptiste David, "in this case, exemptions aims to distinguish between legitimate and illegitimate needs, while ensuring corporate security and preventing unauthorized circumvention ". The growing number of requests is forcing companies to equip themselves with a exemptions management system.
WHY SET UP A exemptions management system?
Defining a regulatory framework
A exemptions management system allows you to :
- receive opening requests ;
- keep a record of exchanges to reinforce transparency and accountability.
This centralized approach enables IT teams to monitor and take into account any changes to the company's security policy.
Facilitating audits
By having a tool that centralizes previous exemptions requests, the company can demonstrate in a transparent and documented way how it handles these exceptions.
When an auditor asks questions about exemptions management, the company can provide tangible evidence of its waiver process, demonstrating its commitment to compliance and safety. Without such documentation, the company runs the risk of having to consolidate information, which can complicate and prolong the audit process, while increasing stress levels among teams.
Avoiding penalties
The absence of a exemptions management system can have serious consequences for a company. In the event of an audit, the company runs the risk of being accused of a lack of monitoring and documentation, which can lead to sanctions such as fines or loss of certification.
Certification, such as ISO 27001, has become a mark of confidence and a must when choosing a service provider. Losing this certification can damage a company's reputation, and compromise its ability to access contracts or respond to calls for tender.
How do you set up a exemptions management system with Tenacy ?
Tenacy offers powerful features designed to simplify and optimize management of exemptions.
Set up an easy-to-use tool
With Tenacy, a user can submit an exception request by ticket, indicating the reasons and duration of the exception. The approver can then accept or reject the request, adding an expiry date. This transparent collaboration ensures that all stakeholders benefit from the same level of knowledge.
Organizing follow-up
The Tenacy platform guarantees the tracking and traceability of each derogation. This traceability includes the dates, the people involved, the objects of the derogation, and the duration of validity. It is important to note that exemptions are generally temporary, which means that an end date must be specified for each exception.
In order to correlate requests with the company's security policy (ISSP), Tenacy links these two elements to provide an overall view, enabling a decision to be made as to whether or not to accept the request.
Users can also add documents and comments to complete the follow-up.
Measuring performance
The use of performance indicators (KPIs) enables us to assess the overall efficiency of the exemptions management process. Number of exemptions processed, unprocessed, total number of exemptions ... Tenacy hasperformance indicators generated on a daily basis, providing essential information for management purposes. To make sure you don't forget anything, alerts and notifications remind users if a waiver is about to expire.
A platform that goes beyond exemptions
Just as choosing a CRM involves much more than taking notes on a company file, the functional scope of the Tenacy platform goes far beyond simple exemptions management.
This platform offers a range of functions from reporting to automation, with specific features such as the integration of a compliance catalog: this enables companies to precisely target the security policies that apply to their business sector.
IN BRIEF
The use of exemptions is an essential element in risk management and the application of a company's safety policy. However, this cannot be achieved without a reliable and efficient exemptions management system.
With Tenacy, exemptions management becomes a seamless, fluid process in line with the most stringent compliance requirements. Contact our experts to find out more!