search

intuitem / ciso-assistant-community

CISO Assistant is a one-stop-shop for GRC, covering Risk, AppSec and Audit Management and supporting +60 frameworks worldwide with auto-mapping: NIST CSF, ISO 27001, SOC2, CIS, PCI DSS, NIS2, CMMC, PSPF, GDPR, HIPAA, Essential Eight, NYDFS-500, DORA, NIST AI RMF, 800-53, 800-171, CyFun, CJIS, AirCyber, NCSC, ECC, SCF and so much more
https://intuitem.com
Other
1.13k stars 145 forks source link

Track security exceptions #670

Open ab-smith opened 3 months ago

ab-smith commented 3 months ago

Problem statement

From an audit, risk assessment, or directly, I want to be able to track security exceptions. They are a variant of risk acceptance and can be useful to list items that are not going through RAF but are accepted drift, temporarily or permanently.

ldelavaissiere commented 2 months ago

I have the same requirements. Audits and risk assessments should allow exceptions (e.g., where an audit point is partially compliant or where a residual risk is not satisfactory). IMHO, to be helpful, those exceptions should be based on action plans with (i) a description, (ii) an owner, (iii) a deadline, and (iv) a status. (It does not seem to me that risk acceptances are variants of exceptions, given that the documentation says that "Risk acceptance is when an organization or individual decides to tolerate a certain level of risk without taking further action to reduce it." --> The tool should allow further actions to be tracked to reduce risks or compliance issues.)