Open ab-smith opened 3 months ago
I have the same requirements. Audits and risk assessments should allow exceptions (e.g., where an audit point is partially compliant or where a residual risk is not satisfactory). IMHO, to be helpful, those exceptions should be based on action plans with (i) a description, (ii) an owner, (iii) a deadline, and (iv) a status. (It does not seem to me that risk acceptances are variants of exceptions, given that the documentation says that "Risk acceptance is when an organization or individual decides to tolerate a certain level of risk without taking further action to reduce it." --> The tool should allow further actions to be tracked to reduce risks or compliance issues.)
Problem statement
From an audit, risk assessment, or directly, I want to be able to track security exceptions. They are a variant of risk acceptance and can be useful to list items that are not going through RAF but are accepted drift, temporarily or permanently.