|
|
It's a way to temporarily change the status of a control on a host from Failed to PassedE (passed with an exception). You can request an exception for a failing control on a specific host. Your exception request must be reviewed and approved by an authorized user.
There may be times when you need to exempt certain hosts from a particular control. For example, it may be the policy in an organization that the service FTP is not allowed on any server. However, there could be a business need for the organization to provide an exception for one or more hosts on a temporary basis. This may be required to support a custom application or other business need.
You request exceptions from these interactive reports: Individual Host Compliance Report and Control Pass/Fail Report
Tip - You can quickly run interactive reports from the Policy Summary. Just go to Reports > Policy Summary. Select a policy. Click any host (under Top Failing Hosts) to run the Individual Host Compliance report. Click any control (under Top Failing Controls) to run the Control Pass/Fail report.
From either interactive report, identify the host/control that needs the exception and click the Request link on the right side. You'll need to assign the exception to a user and provide comments. From the ‘Assign to’ menu, you can choose any user who has privileges to the host, including any Manager or Auditor user.
From either interactive report, select the check box next to each host/control that you want to include in the request and then click the Request Exception button at the top of the report. You'll need to assign the exceptions to a user and provide comments.
When requesting multiple exceptions from the Individual Host Compliance Report, the ‘Assign to’ menu includes only Managers and Auditors. No other users will be listed.
When requesting multiple exceptions from the Control Pass/Fail Report, the ‘Assign to’ menu includes users with privileges to all of the selected hosts, including Managers and Auditors. If a user only has access to some of the selected hosts, then the user will not be listed in the ‘Assign to’ menu. For example, let's say UserA has access to Host1 and Host2, and UserB only has access to Host1. If you pick both Host1 and Host2 for the exception request, then the list will include UserA but not UserB because UserB does not have access to Host2, which is part of the request.
Go to PC > Exceptions to see exceptions on your hosts. Select Info from the Quick Actions menu for any exception to view complete details, including the related policy, control and technology, plus the expected control value as defined in the policy and the actual value returned during the compliance scan. You can also view a history log for the exception.
Do you want to filter the list?Do you want to filter the list?
Choose "My Assigned" from the Filters menu to list all exceptions assigned to you. Choose "My Exceptions" to list exceptions that you requested.
Go to PC > Exceptions, identify the exception you want to take action on and choose Edit from the Quick Actions menu. You can approve, reject or reopen an exception. When you choose Approved, you can optionally provide an end date to make the exception temporary. Once the end date passes, the exception status will change to Expired.
Edit the exception to reassign it to another user who also has privileges to the host. Go to PC > Exceptions, identify the exception you want to reassign and choose Edit from the Quick Actions menu. Tip - You can reassign multiple exceptions in bulk. Select the check boxes next to the exceptions and choose Edit from the Actions menu above the list.
Edit the exception to add comments. Go to PC > Exceptions and choose Edit from the Quick Actions menu. Tip - You can add comments to multiple exceptions in bulk. Select the check boxes next to the exceptions and choose Edit from the Actions menu above the list.
When selected, we'll automatically reopen an exception if a future scan returns a value for the control that is different than the value at the time of the request, and the control is still failing. Tip - You can choose this option when requesting the exception or when approving it.
For example, let's say CID 1071 "Status of the 'Minimum Password Length' setting" has an expected value of 8 and your host returned a value of 5, which is failing. You request an exception for the host and it gets approved. The next scan of the host returns a value of 6 which is an improvement but still failing. If the reopen feature was enabled, then the exception status changes from Approved to Pending. The exception will need to be re-evaluated and approved again.
How do I know if this option was enabled?How do I know if this option was enabled?
You'll see a check mark next to the Approved status on your Exceptions list.
Yes. Managers and Auditors can delete any exception, regardless of who the exception is assigned to. Important - When exceptions are deleted, the exception history is permanently removed and cannot be recovered.
Exception for a system control could be deleted under these scenarios:
- You explicitly delete the exception
- When host and policy technologies do not match (either the host's technology changes or the technology is removed from the policy).
- Control is removed from the policy.
- Technology is excluded from control in the policy.
- IP is removed from an asset group that belongs to the policy.
All actions are logged in the exception history with the name of the user who performed the action and a time stamp for when the action took place. Select Info from the Quick Actions menu for any exception and then go to the History section. The original exception request and each action taken on the exception since the request are listed with user-provided comments.
You can receive email notifications for status changes to exceptions that you requested and exceptions that are assigned to you. Notifications will be sent when exceptions are requested, approved, rejected, reassigned and expired. To get this email, select User Profile below your user name (in the top right corner). Go to Options to select the exception notification.
Exception status levels include:
Pending - An exception is in a Pending state when first requested by a user. Also, if a previously approved or rejected exception is reopened, then it goes back to Pending.
Approved - An exception is in an Approved state when it is reviewed and approved by an authorized user. You would approve an exception if it's determined that the host should be exempt from the specified control. As long as the host is exempt for the control, a status of PassedE appears in compliance reports. The status changes back to Failed when the exception expires.
Rejected - An exception is in a Rejected state when it is reviewed and rejected by an authorized user. You would reject an exception if it's determined that the host should not be exempt from the specified control. When an exception is rejected, a status of Failed continues to appear for the host/control in compliance reports.
Expired - Exceptions are in an Expired state when the exception was previously approved but the time limit has been reached. When an exception is expired, a status of Failed appears again for the host/control in compliance reports.
Any user with compliance management privileges can request exceptions.
Managers and Auditors can approve/reject exceptions, reassign exceptions and add comments to exceptions.
Unit Managers may be granted permission to approve/reject exceptions for hosts in their assigned business unit and reassign exceptions to other users.
Scanners and Readers can edit exceptions for their assigned hosts in order to add comments to the exception details.