It's a way to temporarily change the status of a control on a host from Failed to PassedE (passed with an exception). You can request an exception for a failing control on a specific host. Your exception request must be reviewed and accepted by an authorized user.
There may be times when you need to exempt certain hosts from a particular control. For example, it may be the policy in an organization that the service FTP is not allowed on any server. However, there could be a business need for the organization to provide an exception for one or more hosts on a temporary basis. This may be required to support a custom application or other business need.
You request exceptions from these interactive reports: Control Pass/Fail Report and Individual Host Compliance Report
Tip - You can quickly run interactive reports from the Policy Summary. Just go to Reports > Policy Summary. Click any host (under Top failing hosts) to run the Individual Host Compliance report. Click any control (under Top failing controls) to run the Control Pass/Fail report.
In the report results, simply identify the control/host that needs an exception and click the Request link. Do you want to request multiple exceptions from the same report? Select the check box next to each control/host that you want to include in the request and then click the Request Exception button at the top of the report. You'll need to assign the exceptions to a user and provide comments.
Go to PC > Exceptions to see exceptions on your hosts. Select Info from the Quick Actions menu for any exception to view complete details, including the related policy, control and technology, plus the expected control value as defined in the policy and the actual value returned during the compliance scan. You can also view a history log for the exception.
Do you want to filter the list?
Choose "My Assigned" from the Filters menu to list all exceptions assigned to you. Choose "My Exceptions" to list exceptions that you requested.
Go to PC > Exceptions, identify the exception you want to take action on and choose Edit from the Quick Actions menu. You can accept, reject or reopen an exception. When you choose Accept, you'll also need to provide an end date because an exception is temporary. Once the end date passes, the exception status will change to Expired.
Edit the exception to reassign it to another user who also has privileges to the host. Go to PC > Exceptions, identify the exception you want to reassign and choose Edit from the Quick Actions menu. Tip - You can reassign multiple exceptions in bulk. Select the check boxes next to the exceptions and choose Edit from the Actions menu above the list.
Edit the exception to add comments. Go to PC > Exceptions and choose Edit from the Quick Actions menu. Tip - You can add comments to multiple exceptions in bulk. Select the check boxes next to the exceptions and choose Edit from the Actions menu above the list.
When selected, we'll automatically reopen an exception if a future scan returns a value for the control that is different than the value at the time of the request, and the control is still failing. Tip - You can choose this option when requesting the exception or when approving it.
For example, let's say CID 1071 "Status of the 'Minimum Password Length' setting" has an expected value of 8 and your host returned a value of 5, which is failing. You request an exception for the host and it gets approved. The next scan of the host returns a value of 6 which is an improvement but still failing. If the reopen feature was enabled, then the exception status changes from Approved to Pending. The exception will need to be re-evaluated and approved again.
How do I know if this option was enabled?
You'll see a check mark next to the Approved status on your Exceptions list.
Yes. Managers and Auditors can delete any exception, regardless of who the exception is assigned to. Important - When exceptions are deleted, the exception history is permanently removed and cannot be recovered.
Exception for a system control could be deleted under these scenarios:
- You explicitly delete the exception
- When host and policy technologies do not match (either host's technology changes or technology is removed from policy).
- Control is removed from the policy.
- Technology is excluded from control in the policy.
- IP is removed from an asset group that belongs to the policy.
All actions are logged in the exception history with the name of the user who performed the action and a time stamp for when the action took place. Select Info from the Quick Actions menu for any exception and then go to the History section. The original exception request and each action taken on the exception since the request are listed with user-provided comments.
You can receive email notifications for status changes to exceptions that you requested and exceptions that are assigned to you. Notifications will be sent when exceptions are requested, accepted, rejected, reassigned and expired. To get this email, select User Profile below your user name (in the top right corner). Go to Options to select the exception notification.
Exception status levels include:
Pending - An exception is in a Pending state when first requested by a user. Also, if a previously accepted or rejected exception is reopened, then it goes back to Pending.
Accepted - An exception is in an Accepted state when it is reviewed and accepted by an authorized user. You would accept an exception if it's determined that the host should be exempt from the specified control. As long as the host is exempt for the control, a status of PassedE appears in compliance reports. The status changes back to Failed when the exception expires.
Rejected - An exception is in a Rejected state when it is reviewed and rejected by an authorized user. You would reject an exception if it's determined that the host should not be exempt from the specified control. When an exception is rejected, a status of Failed continues to appear for the host/control in compliance reports.
Expired - Exceptions are in an Expired state when the exception was previously accepted but the time limit has been reached. When an exception is expired, a status of Failed appears again for the host/control in compliance reports.
Any user with compliance management privileges can request exceptions.
Managers and Auditors can accept/reject exceptions, reassign exceptions and add comments to exceptions.
Unit Managers may be granted permission to accept/reject exceptions for hosts in their assigned business unit and reassign exceptions to other users.
Scanners and Readers can edit exceptions for their assigned hosts in order to add comments to the exception details.