Episode 38 — Handle exceptions and waivers without eroding control effectiveness
In the real world of business operations, a perfect "one-size-fits-all" policy is rare, making the formal management of exceptions and waivers a critical skill for any security leader. This episode details how to handle requests for policy deviations without compromising the organization’s overall security posture. We define an exception as a temporary, approved deviation from a standard that includes a documented business justification and a specific expiration date. For the GSTRT exam, understanding the use of "compensating controls" is vital—these are the alternative security measures put in place to mitigate the risk created by the exception. Scenarios include a business unit needing to use a legacy application that does not support modern password standards, requiring a waiver that includes enhanced network monitoring. Best practices involve maintaining a centralized exception registry to track the cumulative risk and ensure that waivers do not become permanent, undocumented vulnerabilities. Produced by BareMetalCyber.com, where you’ll find more cyber audio courses, books, and information to strengthen your educational path. Also, if you want to stay up to date with the latest news, visit DailyCyber.News for a newsletter you can use, and a daily podcast you can commute with.
