Product documentation Docs
    • English
    • Deutsch
    • 日本語
    • 한국어
    • Français
  • More Sites
    • Now Community
    • Developer Site
    • Knowledge Base
    • Product Information
    • ServiceNow.com
    • Training
    • Customer Success Center
    • ServiceNow Support Videos
  • Log in

Product documentation

  • Home
How search works:
  • Punctuation and capital letters are ignored
  • Special characters like underscores (_) are removed
  • Known synonyms are applied
  • The most relevant topics (based on weighting and matching to search terms) are listed first in search results
Topics are ranked in search results by how closely they match your search terms
  • A match on the entire phrase you typed
  • A match on part of the phrase you typed
  • A match on ALL of the terms in the phrase you typed
  • A match on ANY of the terms in the phrase you typed

Note: Matches in titles are always highly ranked.

  • Release version
    Table of Contents
    • Governance, Risk, and Compliance
Table of Contents
Choose your release version
    Home Orlando Governance, Risk, and Compliance Governance, Risk, and Compliance Policy and Compliance Management Manage policy exceptions and extensions Policy Exception Integration with Vulnerability Response

    Policy Exception Integration with Vulnerability Response

    • Save as PDF Selected topic Topic & subtopics All topics in contents
    • Unsubscribe Log in to subscribe to topics and get notified when content changes.
    • Share this page

    Policy Exception Integration with Vulnerability Response

    Starting with Version 10.1, you can request policy exceptions using the GRC policy exception management capability inherent in the Policy and Compliance Management application from within version 10.3 of the Vulnerability Response application.

    Benefits of using the Policy Exception Integration

    Requesting exceptions using the policy exception integration with Policy and Compliance Management provides the following benefits:
    • Perform assessments to gather additional information about the requests.
    • Request exceptions based on a specific policy or control objective. This action shows the effects on compliance when an exception is approved.
    • Configure approvals to be triggered automatically based on the risk rating, policy, or control objective associated with the policy exception.

    How the Policy Exception Integration works

    The scenario described here assumes that a vulnerability has been identified in your system and your remediation owner has determined that a software patch is needed. The patch has not been fully tested and the owner is requesting a policy exception to defer deployment of the patch until testing is complete.
    The following diagram illustrates the steps performed by the compliance manager and the remediation owner in each of the applications.
    Policy exception integration workflow
    1. When the Vulnerability Response application was installed, two policy exception integration records are automatically created and added to the Integration Registry, one for a vulnerability group and one for a vulnerable item.
      Policy exception integration Register
      To configure the vulnerable item record, the compliance manager performs the following steps.
      1. Identifies the mapping of tables used to integrate the two applications.
      2. Defines reasons for requesting exceptions.
      3. (optionally) Defines policy categories for filtering policies
      4. (optionally) Creates one or more questionnaires to be sent to the requester to gather additional information about the policy exception request.
    2. The compliance manager also defines optional verification rules and approval rules to automate the process of getting approvals for the policy exception.
    3. In Vulnerability Response, the remediation owner requests a policy exception using the Policy Exception Integration.
    4. If a verification rule was defined for the application, the designated approvers are notified that their approval is required. If any fields in the policy exception request were not filled in by the requester (for example, the Policy or Control Objective), those fields become mandatory for the approvers. When the approvers have reviewed, completed, and approved the request, it transitions to the Analyze state and is assigned to the compliance manager for further analysis and approval.
    5. In Policy and Compliance Management, the compliance manager receives the approved request, and assigns a risk rating to the policy exception request on the Risk assessment tab.
      Risk assessment

      When the policy exception record is saved, information in the Source tab, including the source application and source record, as well as information in the Vulnerable Items related list are auto-populated. The compliance manager now has access to all the data needed to review and approve the policy exception.

    6. In Policy and Compliance Management, the compliance manager performs the exception assessment, if assessments were configured. When the assessment is completed, the compliance manager returns to the Risk assessment tab and updates the Risk rating based on the findings of the assessment, if needed. The compliance manager also populates the following fields with information gathered during the assessment.
      Table 1. Risk assessment tab
      Field Description
      Risk description Provide details about the risk associated with this policy exception.
      Analysis of risk and impact Provide details about your analysis of the risk and impact to the policy exception.
      Risk mitigation plan Provide details about the mitigation plan associated with this policy exception.
    7. If the policy exception is missing any information, the compliance manager can click Request More Information and add comments to identify the type of data needed. The requester is notified and provides the requested information.
    8. Optionally, the compliance manager can send the policy exception out for an additional in-house review before approving it by clicking Request Review.
      Note: Prior to requesting a review, ensure that the Impacted Controls related list contains the controls that are impacted by the policy exception. Simply open the related list, click Add, and select the controls.
    9. If the policy exception is of a particularly high risk, and the compliance manager believes that approval should come from someone higher in the organization (for example, the CIO), the compliance manager can click Request Approval.
      Otherwise, approval is performed in the following scenarios.
      Approval rule defined Effect on approval
      If an approval rule was not defined for Vulnerability Response Clicking the Approved button causes the policy exception to be approved.
      If an approval rule was defined, but the Auto-trigger check box was not selected You can click Request Approval to send the policy exception to the users or groups defined in the rule. For example, an approval rule may indicate that when the policy exception is based on a particular policy, a certain set of users or groups are notified that they need to provide approval for the policy exception. Or, an approval rule may be defined so that any policy exception with a risk rating of Critical is automatically sent to a certain set of approvers.

      The number of approvers necessary to approve the policy exception depends on the setting in the Required Approval field in the rule.

      You can also click Approve to approve the policy exception yourself.

      If an approval rule was defined, and the Auto-trigger check box was selected Clicking the Approve button causes the approval rule to be executed and the policy exception is automatically sent to the users or groups defined by the rule for approval. Auto-trigger causes this step to be mandatory. When approvals are received, the policy exception goes into effect.
    10. In Vulnerability Response, after the approvals have been received, the policy exception becomes active and the patching activity on the vulnerable item is deferred until the policy exception expires. When the Valid until date is reached, the policy exception expires and the state of the vulnerable item changes from Deferred to Open.

    Tags:

    Feedback
    On this page

    Previous topic

    Next topic

    • Contact Us
    • Careers
    • Terms of Use
    • Privacy Statement
    • Sitemap
    • © ServiceNow. All rights reserved.

    Release version
    Choose your release version

      Policy Exception Integration with Vulnerability Response

      • Save as PDF Selected topic Topic & subtopics All topics in contents
      • Unsubscribe Log in to subscribe to topics and get notified when content changes.
      • Share this page

      Policy Exception Integration with Vulnerability Response

      Starting with Version 10.1, you can request policy exceptions using the GRC policy exception management capability inherent in the Policy and Compliance Management application from within version 10.3 of the Vulnerability Response application.

      Benefits of using the Policy Exception Integration

      Requesting exceptions using the policy exception integration with Policy and Compliance Management provides the following benefits:
      • Perform assessments to gather additional information about the requests.
      • Request exceptions based on a specific policy or control objective. This action shows the effects on compliance when an exception is approved.
      • Configure approvals to be triggered automatically based on the risk rating, policy, or control objective associated with the policy exception.

      How the Policy Exception Integration works

      The scenario described here assumes that a vulnerability has been identified in your system and your remediation owner has determined that a software patch is needed. The patch has not been fully tested and the owner is requesting a policy exception to defer deployment of the patch until testing is complete.
      The following diagram illustrates the steps performed by the compliance manager and the remediation owner in each of the applications.
      Policy exception integration workflow
      1. When the Vulnerability Response application was installed, two policy exception integration records are automatically created and added to the Integration Registry, one for a vulnerability group and one for a vulnerable item.
        Policy exception integration Register
        To configure the vulnerable item record, the compliance manager performs the following steps.
        1. Identifies the mapping of tables used to integrate the two applications.
        2. Defines reasons for requesting exceptions.
        3. (optionally) Defines policy categories for filtering policies
        4. (optionally) Creates one or more questionnaires to be sent to the requester to gather additional information about the policy exception request.
      2. The compliance manager also defines optional verification rules and approval rules to automate the process of getting approvals for the policy exception.
      3. In Vulnerability Response, the remediation owner requests a policy exception using the Policy Exception Integration.
      4. If a verification rule was defined for the application, the designated approvers are notified that their approval is required. If any fields in the policy exception request were not filled in by the requester (for example, the Policy or Control Objective), those fields become mandatory for the approvers. When the approvers have reviewed, completed, and approved the request, it transitions to the Analyze state and is assigned to the compliance manager for further analysis and approval.
      5. In Policy and Compliance Management, the compliance manager receives the approved request, and assigns a risk rating to the policy exception request on the Risk assessment tab.
        Risk assessment

        When the policy exception record is saved, information in the Source tab, including the source application and source record, as well as information in the Vulnerable Items related list are auto-populated. The compliance manager now has access to all the data needed to review and approve the policy exception.

      6. In Policy and Compliance Management, the compliance manager performs the exception assessment, if assessments were configured. When the assessment is completed, the compliance manager returns to the Risk assessment tab and updates the Risk rating based on the findings of the assessment, if needed. The compliance manager also populates the following fields with information gathered during the assessment.
        Table 1. Risk assessment tab
        Field Description
        Risk description Provide details about the risk associated with this policy exception.
        Analysis of risk and impact Provide details about your analysis of the risk and impact to the policy exception.
        Risk mitigation plan Provide details about the mitigation plan associated with this policy exception.
      7. If the policy exception is missing any information, the compliance manager can click Request More Information and add comments to identify the type of data needed. The requester is notified and provides the requested information.
      8. Optionally, the compliance manager can send the policy exception out for an additional in-house review before approving it by clicking Request Review.
        Note: Prior to requesting a review, ensure that the Impacted Controls related list contains the controls that are impacted by the policy exception. Simply open the related list, click Add, and select the controls.
      9. If the policy exception is of a particularly high risk, and the compliance manager believes that approval should come from someone higher in the organization (for example, the CIO), the compliance manager can click Request Approval.
        Otherwise, approval is performed in the following scenarios.
        Approval rule defined Effect on approval
        If an approval rule was not defined for Vulnerability Response Clicking the Approved button causes the policy exception to be approved.
        If an approval rule was defined, but the Auto-trigger check box was not selected You can click Request Approval to send the policy exception to the users or groups defined in the rule. For example, an approval rule may indicate that when the policy exception is based on a particular policy, a certain set of users or groups are notified that they need to provide approval for the policy exception. Or, an approval rule may be defined so that any policy exception with a risk rating of Critical is automatically sent to a certain set of approvers.

        The number of approvers necessary to approve the policy exception depends on the setting in the Required Approval field in the rule.

        You can also click Approve to approve the policy exception yourself.

        If an approval rule was defined, and the Auto-trigger check box was selected Clicking the Approve button causes the approval rule to be executed and the policy exception is automatically sent to the users or groups defined by the rule for approval. Auto-trigger causes this step to be mandatory. When approvals are received, the policy exception goes into effect.
      10. In Vulnerability Response, after the approvals have been received, the policy exception becomes active and the patching activity on the vulnerable item is deferred until the policy exception expires. When the Valid until date is reached, the policy exception expires and the state of the vulnerable item changes from Deferred to Open.

      Tags:

      Feedback

          Share this page

          Got it! Feel free to add a comment
          To share your product suggestions, visit the Idea Portal.
          Please let us know how to improve this content

          Check any that apply

          To share your product suggestions, visit the Idea Portal.
          Confirm

          We were unable to find "Coaching" in Jakarta. Would you like to search instead?

          No Yes
          • Contact Us
          • Careers
          • Terms of Use
          • Privacy Statement
          • Sitemap
          • © ServiceNow. All rights reserved.

          Subscribe Subscribed Unsubscribe Last updated: Tags: January February March April May June July August September October November December No Results Found Versions Search preferences successfully updated My release version successfully updated My release version successfully deleted An error has occurred. Please try again later. You have been unsubscribed from all topics. You are now subscribed to and will receive notifications if any changes are made to this page. You have been unsubscribed from this content Thank you for your feedback. Form temporarily unavailable. Please try again or contact  docfeedback@servicenow.com  to submit your comments. The topic you requested does not exist in the release. You were redirected to a related topic instead. The available release versions for this topic are listed There is no specific version for this documentation. Explore products Click to go to the page. Release notes and upgrades Click to open the dropdown menu. Delete Remove No selected version Reset This field is required You are already subscribed to this topic Attach screenshot The file you uploaded exceeds the allowed file size of 20MB. Please try again with a smaller file. Please complete the reCAPTCHA step to attach a screenshot
          Log in to personalize your search results and subscribe to topics
          No, thanks Login