When your organization can't comply with a published vulnerability management or security policy, standard, or guideline, you can request an exception. Exception management entails requesting, reviewing, approving, or rejecting exceptions to a vulnerable item (VI) or remediation task (RT) that cannot be remediated according to the policy.

Before you begin

Limit the duration of an exception requested and add a questionnaire to the exception or false positive request using the Vulnerability Response module. By default, an exception is requested using the ServiceNow® Vulnerability Response module. You can also request an exception using the GRC: Policy and Compliance Management integration.

Persona and granular roles are available to help you manage what users and groups can see and do in the Vulnerability Response application. For an initial assignment of the persona roles in Setup Assistant, see Assign the Vulnerability Response persona roles using Setup Assistant. For more information about managing granular roles, see Manage persona and granular roles for Vulnerability Response.

Role required: sn_vul.manage_exception_configuration

About this task

If Vulnerability Response is enabled, you can limit the duration for which an exception can be requested. Similarly, if the GRC: Policy and Compliance Management module is installed, you can select GRC: Policy and Compliance Management on the configuration screen. Enabling this option lets you request an exception that specifies the Policy and Control objective from GRC.

If you add a questionnaire, it’s sent to the person raising the exception or false positive request. You can either use the default questionnaire or create one based on your requirements.

It’s useful for the exception approver to understand the reason for requesting the exception.

Procedure

  1. Navigate to All > Vulnerability Response > Administration > Exception Management.
  2. On the Exception Management Configuration form, select how you want to manage an exception by selecting an option from the Manage exceptions using list.
    You can select either Vulnerability Response or GRC: Policy and Compliance Management. You must activate the GRC plugin to use GRC: Policy and Compliance Management to request an exception. Changing the configuration doesn’t impact the existing data.
  3. If you selected the Vulnerability Response option, enter the following information:
    Table 1. Settings for VR Exception Management form
    FieldDescription
    Duration Period for which an exception can be requested.
    Unit Unit of time for the specified period.
    Enable questionnaire to request exception Option to add a questionnaire to the exception request being raised.
    Questionnaire to request exception Displays the questionnaire selected by you to request an exception. The Exception Questionnaire is displayed by default.
    Note: This field appears only when you select the Enable questionnaire to request exception check box.
    Questionnaire for compensating control Displays the questionnaire that a remediation owner must answer for risk reduction requests. Starting from v20.0 of Vulnerability Response, you can set questionnaire for risk reduction requests. The Compensating Control Questionnaire is selected by default.
    Note: This field appears only when you select the Enable questionnaire to request exception check box.
    Enable questionnaire to mark false positive Option to add a questionnaire to the false positive request being raised.
    Questionnaire to mark false positive Displays the questionnaire selected by you to mark as false positive. The questionnaire for false positive request is displayed by default.
    Note: This field appears only when the Enable questionnaire to mark false positive check box is selected.

    If you have customized the existing questionnaire and upgrade to v20.0, then this customized questionnaire appears for risk reduction request instead of the default Compensating Control Questionnaire.

  4. If you selected the GRC: Policy and Compliance Management option, enter the following information:
    Table 2. Settings for VR Exception Management form
    Field Description
    Enable questionnaire to mark false positive Option to add a questionnaire to the false positive request being raised.
    Questionnaire to mark false positive Displays the questionnaire selected by you to mark as false positive. The questionnaire for false positive request is displayed by default.
  5. To configure questionnaires based on conditions for exception and false-positive requests:
    1. In the VR Questionnaire Configuration section, select New.
    2. In the Questionnaire Configuration - New Record form, fill in the fields and select Submit.
      For more information on the Questionnaire Configuration form fields, see Questionnaire Configuration form fields.
      The created questionnaire appears in the VR Questionnaire Configuration section of the Settings for VR Exception Management form.
    For example, if you want to configure questionnaire for false-positive requests for critical vulnerable items, then select the False positive for vulnerable items approval rule, provide the condition as Risk rating is 1 - Critical and select the desired questionnaire in the Questionnaire Configuration form.
  6. Select Save.