Episode 38 — Handle exceptions and waivers without eroding control effectiveness
In this episode, we focus on a governance problem that every mature security program eventually faces: how to offer flexibility when reality does not fit the control model, without letting flexibility slowly destroy the model. Exceptions and waivers are not inherently bad, they are a way to keep the organization moving when constraints are real, but unmanaged exceptions are one of the fastest paths to control drift. Drift is dangerous because it is quiet, and by the time it shows up in an incident or audit, it has usually become normal behavior. The aim is to treat exceptions as time-bound risk decisions with visible accountability, not as informal permission slips. When exceptions are handled well, teams feel supported rather than blocked, and leadership retains a clear view of what risks are being carried and why. When exceptions are handled poorly, controls become optional, and the organization begins to rely on optimism instead of protection. The goal is flexibility without losing control strength.
Before we continue, a quick note: this audio course is a companion to our course companion books. The first book is about the exam and provides detailed information on how to pass it best. The second book is a Kindle-only eBook that contains 1,000 flashcards that can be used on your mobile device or Kindle. Check them both out at Cyber Author dot me, in the Bare Metal Study Guides Series.
Start by defining the terms clearly, because confusion about language is how exceptions become permanent by accident. An exception is a documented approval to deviate from a requirement under defined conditions, usually because the requirement cannot be met immediately but is still the target state. A waiver is typically a more formal decision to accept noncompliance for a time period or for a specific scope, often because the cost or feasibility of compliance is not reasonable in the near term. A temporary compensating control is a safeguard that reduces risk while the primary requirement is not met, designed to provide measurable protection until the real control can be implemented. These definitions matter because they imply different levels of risk acceptance and different expectations for follow-through. If teams call everything an exception, they may assume short duration and easy renewal, even when the situation is actually a long-term waiver. If teams call everything a waiver, they may assume the control is optional, which erodes intent. Clear definitions create consistent expectations and make tracking meaningful. When the vocabulary is shared, decision makers can understand what they are approving and why.
Eligibility criteria are the next line of defense against exception sprawl, because not every inconvenience should qualify for deviation. Criteria should define when an exception is allowed, such as when a requirement cannot be met due to a technical limitation, a vendor constraint, a legacy system that is scheduled for retirement, or a temporary capacity shortage with a defined remediation plan. Criteria should also define when an exception is not allowed, such as when the deviation would create unacceptable risk for high-value systems or regulated data. Duration limits matter because time is part of risk, and open-ended exceptions are essentially policy changes without governance. Renewals should not be automatic, because automatic renewal teaches the organization that exceptions are the default path. Instead, renewals should require revalidation of constraints and evidence that remediation progress is real. These elements make exceptions a structured tool rather than a loophole. If you want control effectiveness, you must make exceptions harder than compliance over the long term.
Duration limits should be tied to the nature of the constraint and the risk carried, because a one-size limit can be either unrealistic or too permissive. A short duration might make sense for a tooling gap that can be fixed quickly, while a longer duration might be required for a vendor roadmap dependency, but in both cases the timeline must be explicit. Renewals should include thresholds, such as requiring higher approval authority after a certain number of renewals or after a certain total age, because repeated renewals are a signal that the exception is becoming a de facto policy. Duration should also be paired with review checkpoints, so the owner must report progress before the exception expires, not after. This prevents the common pattern of discovering at expiry that nothing changed and renewing out of convenience. If the organization treats duration as real, it will plan remediation work earlier. If the organization treats duration as symbolic, exceptions will pile up and control effectiveness will decay. Time discipline is one of the strongest levers you have to prevent drift.
Every exception should require documented risk, business impact, and an accountable owner, because without these elements the decision is not grounded in reality. Documented risk means describing what could happen because the control is missing, who or what would be affected, and how likely the harm is in the given environment. Business impact means describing what would happen if the exception were denied, such as delayed delivery, service disruption, contractual breach, or operational cost. The accountable owner is the person responsible for both implementing compensating safeguards and driving the remediation plan that ends the exception. Ownership matters because exceptions without owners become orphaned risk, and orphaned risk is how organizations accumulate hidden exposure. The documentation must be clear enough that someone outside the team can understand the tradeoff without a long meeting. This is not about producing a perfect risk model, it is about making the risk visible and deliberate. When risk and impact are documented, leaders can make an informed choice rather than a pressured guess.
Compensating safeguards are the difference between a managed exception and a reckless gap, and they should be mandated when the exception affects meaningful risk. A compensating safeguard should reduce exposure or reduce impact in a measurable way, not just provide comfort. Measurable effectiveness can include stricter access controls, increased monitoring, reduced network exposure, temporary segmentation, additional approvals, or operational constraints that reduce opportunities for misuse. The safeguard should be tied to the risk described, meaning it should address the most likely harm caused by the missing control. It should also have verification, because safeguards that cannot be verified tend to be forgotten. The compensating control should be time-bound as well, aligned with the exception duration, and it should be removed or adjusted when the primary control is implemented. This keeps the environment from accumulating layered complexity. The goal is to keep control effectiveness high even when a specific requirement cannot be met immediately. Compensating safeguards are how you maintain the spirit of the control while the letter is temporarily deferred.
A useful example is an encryption delay offset by tightened access controls, because encryption is often hard to retrofit quickly in legacy or vendor-constrained systems. If encryption at rest cannot be implemented by the required date, the risk is increased exposure if storage is accessed improperly or if the system is compromised. A compensating approach might include narrowing access to the data store to a smaller set of identities, requiring stronger authentication for those identities, increasing monitoring on access events, and restricting network paths to the system. You might also require more frequent access reviews and implement additional alerting for anomalous data access patterns. These safeguards do not replace encryption, but they can reduce the likelihood and detectability of misuse while encryption work is underway. The exception would include a plan for when encryption will be implemented and what milestones will prove progress. It would also include verification steps that confirm tightened access and monitoring are actually in place. This example shows the intent: protect the data through alternative controls until the primary control is delivered. The compensating controls are the bridge, not the destination.
Approval flow needs to be explicit and consistent, because inconsistent approval is how exceptions become political rather than risk-based. The requester should state the requirement, the reason compliance is not possible, the duration requested, the risk and business impact, and the proposed compensating safeguards. A risk review step should validate the risk description, evaluate whether safeguards are adequate, and confirm whether the request meets eligibility criteria. The authority decision step is where a designated approver accepts the residual risk and authorizes the exception, ideally at a level that matches the risk magnitude. The approver should also be empowered to deny, shorten duration, require stronger safeguards, or require a phased plan rather than a simple waiver. The flow should include clear decision rights so teams do not shop for a friendly approver. It should also include documentation of the decision rationale so the organization can explain later why the exception was granted. When approval flow is consistent, exceptions become a managed portfolio rather than a collection of favors.
A common pitfall is rolling exceptions becoming de facto policy, which happens when exceptions are renewed repeatedly and everyone starts treating the exception path as normal. This pitfall is dangerous because it bypasses formal policy change processes and eliminates visibility into risk tradeoffs. Rolling exceptions often occur because remediation is hard, capacity is scarce, and renewal is easier than fixing the underlying issue. They also occur when owners change and the exception record becomes unclear, leading to renewals by default. The prevention strategy is to make aging visible, make renewals harder over time, and require escalation when exceptions cross age thresholds. You can also require a decision at a certain point: either fund remediation, decommission the system, or formally change the standard with appropriate governance. This forces the organization to confront reality rather than drifting. Rolling exceptions are often a sign that the control model is misaligned with capability or that the organization is tolerating too much risk silently. Treat the pattern as a governance signal, not as a paperwork issue.
A quick win that prevents silent drift is dashboarding exceptions with aging indicators, because visibility changes behavior. An aging indicator shows how long an exception has been open, how close it is to expiration, and how many times it has been renewed. When leaders can see aging, exceptions stop being invisible background risk and start being a managed backlog. The dashboard should also show exception categories and affected system criticality, because not all exceptions carry the same risk. Aging visibility allows prioritization, focusing first on high-risk exceptions that are old or frequently renewed. It also helps detect process failures, such as exceptions with no owner, no compensating safeguard, or no remediation plan. This is a quick win because it does not require changing the policy itself, it requires organizing and displaying what already exists. Once exceptions are visible, teams become more disciplined about closing them, because no one wants to own the oldest, riskiest exception in the portfolio. Visibility is one of the most effective governance tools because it turns risk into an explicit management problem.
A realistic scenario is a vendor constraint that forces a time-bound waiver, such as when a third-party product cannot support a required control until a future release. In that case, the waiver must be explicit about what the vendor constraint is, what the timeline is, and what evidence will confirm when the constraint is resolved. The waiver should also define what the organization will do if the vendor timeline slips, because vendor timelines often change. Compensating safeguards become especially important here because you are relying on an external dependency, and you may not control how quickly the gap is closed. The approval authority should be appropriate for the risk, because vendor constraints can create broad exposure if the product is widely deployed. The waiver should include an exit plan, such as upgrading to the vendor release by a certain date, migrating to an alternative, or restricting use to lower-risk contexts until compliance is possible. Review checkpoints should be scheduled so the waiver is revisited before expiration, with progress verified rather than assumed. This scenario illustrates why exceptions and waivers must be treated as active risk management, not as passive paperwork.
A practical exercise is drafting one exception form fieldset, because the form structure is what enforces discipline at scale. The fieldset should capture what requirement is being deviated from, what systems and data are in scope, and what the justification is in plain language. It should capture requested start and end dates, with explicit duration, and it should capture an accountable owner who will drive closure. It should capture the risk description and the business impact, both concise but concrete, so approvers can make an informed choice. It should capture compensating safeguards, including how effectiveness will be verified and who will verify it. It should capture approval authority, including who must sign off and what thresholds require higher approval. It should capture renewal history and review checkpoints, so aging can be tracked and escalated. A disciplined fieldset makes weak exception requests obvious, because missing information becomes visible. When the form enforces clarity, the exception process becomes faster and more consistent.
Keep a simple memory anchor: temporary relief, permanent accountability. Relief is temporary because exceptions are designed to unblock progress or accommodate constraints without changing the target control state. Accountability is permanent because the risk does not disappear, and someone must own it until the exception is closed or the standard is formally changed. The anchor reminds you that the exception process is not about making hard requirements go away, it is about managing the path from current reality to the required end state. It also reminds leaders that approving an exception is approving residual risk, and residual risk must be visible and revisited. Permanent accountability also means that compensating safeguards and review checkpoints must be real, not symbolic. When accountability is durable, the organization is less likely to accumulate hidden exposure. This anchor helps keep the exception program honest under pressure. It turns exceptions into disciplined decisions rather than quiet drift.
As a recap, effective exception and waiver handling starts with clear definitions, because vocabulary drives expectations and enforcement. Eligibility criteria determine which deviations are acceptable and prevent the exception path from becoming the default. Duration limits, renewals, and age-based escalation protect against rolling exceptions becoming de facto policy. Documented risk, business impact, and a named owner make the decision grounded and accountable. Compensating safeguards preserve control effectiveness while primary controls are delayed, and safeguards must be measurable and verifiable. Approval flows must be consistent, with clear decision rights and documented rationale. Dashboards with aging indicators create visibility that drives closure and prioritization. Scenarios like vendor constraints show why time-bound waivers need exit plans and contingency thinking. Forms and fieldsets enforce discipline at scale by making weak requests obvious. When these elements work together, flexibility exists, but control strength remains intact.
To conclude, audit your open exceptions and close overdue items, because open exceptions are a risk inventory whether you treat them that way or not. Start by identifying the oldest exceptions, the most frequently renewed exceptions, and the exceptions that affect high-risk systems or sensitive data. Verify that each exception has an owner, compensating safeguards, and a realistic closure plan, and escalate where those elements are missing. For exceptions that cannot be closed because reality has not changed, require a higher-level decision about whether to fund remediation, retire the system, or formally adjust the standard through governance. Update dashboards and review cadences so aging remains visible and exceptions do not quietly accumulate again. When you keep the exception program disciplined, you preserve the credibility of your controls and you maintain flexibility without sacrificing protection.
