RGPD, LPM, NIS, companies today are subject to regulatory and compliance frameworks. While these rules are essential to guarantee a high level of security within the organization, they can sometimes hinder the fluidity of operations.

But how do you deal with a situation that doesn't comply with your company's IT security policy (ISSP) or with one of the many applicable regulations? What is a derogation? How do you set up a exemptions management system, and what are its advantages? Explanations and advice from our expert.

 

What is a derogation?

A derogation can be defined as an exceptional authorization or temporary exemption granted to deviate from the organization's established rules or policies.

For Baptiste David, Head of PreSales and Delivery at Tenacy : " A derogation is the non-application of a security measure ". According to the expert, a concrete example of this need for derogation can be seen in the management of corporate Internet access policy: "It is not uncommon to see CIOs blocking access to recreational sites such as Facebook within companies, for fear of sensitive information leaks or malware infection. While legitimate, this generalized restriction systematically impacts communications and marketing teams, who are legitimate users of social networks. This is where exemptions can help tailor a company's security policy to specific needs.

Another exception concerns the management of administrator rights within an organization. As a general rule, employees do not have administrator rights for their workstations. In special situations, however, users may need administrator rights to install or update software. Here again, the rule can be adapted to suit the situation.

It should be noted that exemptions are not limited to individual user needs. They can also be applied to a hierarchical level, such as a department or a management team - the so-called VIPs.

Is it compulsory to use exemptions?

exemptions are not strictly mandatory, but some regulations do require them. From a risk management point of view, the absence of exemptions may be a sign that the company is not taking into account all potential scenarios and the specific needs of its users.

The latter, often creative in their needs, may find justifications for not complying with established policies. They may even circumvent the problem by using software tools not approved by the IT department. Good management of exemptions means asking the "why" behind every exception request.

According to Baptiste David: " In such cases, exemptions aims to distinguish between legitimate and illegitimate needs, while ensuring the company's security and preventing unauthorized circumvention ". The increasing number of requests is forcing companies to set up an exemption management system.

 

What are the benefits of implementing a exemptions management system in your company?

Defining a regulatory framework

A management system for exemptions enables us to receive opening requests and keep a history of exchanges, with the aim of reinforcing transparency and accountability. This centralized system enables IT teams to monitor and take into account any modifications to the company's security policy.

Facilitating auditsh

By having a tool that centralizes previous exemptions requests, the company can demonstrate in a transparent and documented way how it handles these exceptions.

When an auditor asks questions about exemptions management, the company can provide tangible evidence of its waiver process, demonstrating its commitment to compliance and safety. Without such documentation, the company runs the risk of having to consolidate information, which can complicate and prolong the audit process, while increasing stress levels among teams.

Avoiding penalties

The absence of a exemptions system can have serious consequences for a company. In the event of an audit, the company runs the risk of being accused of a lack of monitoring and documentation, which can lead to sanctions such as fines or loss of certification.

Certification to certain standards, such as ISO 27001, has become a mark of confidence and a must when choosing a service provider. Losing this certification can damage a company's reputation and compromise its ability to gain access to contracts, or even to respond to invitations to tender.

 

How do you set up a exemptions management system with Tenacy ?

Tenacy offers powerful features designed to simplify and optimize management of exemptions.

Set up an easy-to-use tool

With Tenacy, a user can submit an exception request by ticket, indicating the reasons and duration of the exception. The approver can then accept or reject the request, adding an expiry date. This transparent collaboration ensures that all stakeholders benefit from the same level of knowledge.

Organizing follow-up

The Tenacy platform guarantees the tracking and traceability of each derogation. This traceability includes the dates, the people involved, the objects of the derogation, and the duration of validity. It is important to note that exemptions are generally temporary, which means that an end date must be specified for each exception.

In order to correlate requests with the company's security policy (ISSP), Tenacy links these two elements to provide an overall view, enabling a decision to be made as to whether or not to accept the request.

Users can also add documents and comments to complete the follow-up.

Measuring performance

The use of key performance indicators (KPIs) enables us to assess the overall efficiency of the exemptions management process. Number of exemptions processed, unprocessed, number of exemptions total... Tenacy has performance indicators generated daily, providing essential information for management purposes. To make sure you don't forget anything, alerts and notifications remind users if an exemption is about to expire.

A platform that goes beyond exemptions

Just as choosing a CRM involves much more than taking notes on a company file, the functional scope of the Tenacy platform goes far beyond simple exemptions management.

This platform offers a range of features from reporting to automation, as well as specific functionalities such as the integration of a compliance catalog that enables companies to target precisely the security policies that apply to their business sector.

 

In conclusion

The use of overrides is an essential element in risk management and the application of a company's safety policy. However, this cannot be achieved without the implementation of a exemptions management system.

With Tenacy, exemptions management becomes a seamless, fluid process in line with the most stringent compliance requirements. Contact our experts to find out more.