What Information is Important in Requesting an Exception?
The key information a unit should provide when submitting a request for a compensating control are those facts or procedures that prevent a device or class of devices from becoming compliant. If for example a device cannot host a firewall or be protected through an external device or process, then documenting how the unit intends to protect it from the threats a firewall covers is paramount to the request. Citing locally defined time frames and procedures will hasten the evaluation and approval process. Quantitative information goes a long way in helping the CIO Security Group determine if the threats have been properly identified and addressed by the requesting unit.
