Benefits of using the Policy Exception Integration

How the Policy Exception Integration works

The following diagram illustrates the steps performed by the compliance manager and the remediation owner in each of the applications.

1. When the Vulnerability Response application was installed, two policy exception integration records are automatically created and added to the Integration Registry, one for a vulnerability group and one for a vulnerable item.

   

   To configure the vulnerable item record, the compliance manager performs the following steps.

   1. Identifies the mapping of tables used to integrate the two applications.
   2. Defines reasons for requesting exceptions.
   3. (optionally) Defines policy categories for filtering policies
   4. (optionally) Creates one or more questionnaires to be sent to the requester to gather additional information about the policy exception request.
2. The compliance manager also defines optional verification rules and approval rules to automate the process of getting approvals for the policy exception.
3. In Vulnerability Response, the remediation owner requests a policy exception using the Policy Exception Integration.
4. If a verification rule was defined for the application, the designated approvers are notified that their approval is required. If any fields in the policy exception request were not filled in by the requester (for example, the Policy or Control Objective), those fields become mandatory for the approvers. When the approvers have reviewed, completed, and approved the request, it transitions to the Analyze state and is assigned to the compliance manager for further analysis and approval.
5. In Policy and Compliance Management, the compliance manager receives the approved request, and assigns a risk rating to the policy exception request on the Risk assessment tab.

   

   When the policy exception record is saved, information in the Source tab, including the source application and source record, as well as information in the Vulnerable Items related list are auto-populated. The compliance manager now has access to all the data needed to review and approve the policy exception.

6. In Policy and Compliance Management, the compliance manager performs the exception assessment, if assessments were configured. When the assessment is completed, the compliance manager returns to the Risk assessment tab and updates the Risk rating based on the findings of the assessment, if needed. The compliance manager also populates the following fields with information gathered during the assessment.

   Table 1. Risk assessment tab

   Field	Description
   Risk description	Provide details about the risk associated with this policy exception.
   Analysis of risk and impact	Provide details about your analysis of the risk and impact to the policy exception.
   Risk mitigation plan	Provide details about the mitigation plan associated with this policy exception.

7. If the policy exception is missing any information, the compliance manager can click Request More Information and add comments to identify the type of data needed. The requester is notified and provides the requested information.
8. Optionally, the compliance manager can send the policy exception out for an additional in-house review before approving it by clicking Request Review.
   Note: Prior to requesting a review, ensure that the Impacted Controls related list contains the controls that are impacted by the policy exception. Simply open the related list, click Add, and select the controls.
9. If the policy exception is of a particularly high risk, and the compliance manager believes that approval should come from someone higher in the organization (for example, the CIO), the compliance manager can click Request Approval.
   Otherwise, approval is performed in the following scenarios.

   Approval rule defined	Effect on approval
   If an approval rule was not defined for Vulnerability Response	Clicking the Approved button causes the policy exception to be approved.
   If an approval rule was defined, but the Auto-trigger check box was not selected	You can click Request Approval to send the policy exception to the users or groups defined in the rule. For example, an approval rule may indicate that when the policy exception is based on a particular policy, a certain set of users or groups are notified that they need to provide approval for the policy exception. Or, an approval rule may be defined so that any policy exception with a risk rating of Critical is automatically sent to a certain set of approvers. The number of approvers necessary to approve the policy exception depends on the setting in the Required Approval field in the rule. You can also click Approve to approve the policy exception yourself.
   If an approval rule was defined, and the Auto-trigger check box was selected	Clicking the Approve button causes the approval rule to be executed and the policy exception is automatically sent to the users or groups defined by the rule for approval. Auto-trigger causes this step to be mandatory. When approvals are received, the policy exception goes into effect.

10. In Vulnerability Response, after the approvals have been received, the policy exception becomes active and the patching activity on the vulnerable item is deferred until the policy exception expires. When the Valid until date is reached, the policy exception expires and the state of the vulnerable item changes from Deferred to Open.