GDPR, DORA, NIS… Companies are today subject to more and more regulatory and compliance frameworks. Although these rules are essential to guarantee a high level of security in the organization, they can sometimes hinder the fluidity of operations.
But then how to manage a situation that does not comply with the company’s information system security policy (PSSI) or one of the numerous applicable texts? What is an exemption? And above all, how to set up an exemption management system in a company?
What is a waiver?
A waiver can be defined as an exceptional authorization or temporary exemption granted to deviate from rules or policies established within the organization.
For Baptiste David, PreSales and Delivery Manager at Tenacy, “the exemption is a non-application of a security measure. “.
A concrete example of this need for exemption can be observed in the management of the internet access policy in companies: it is not uncommon to see IT departments block access to recreational sites such as Facebook within companies, for fear of leaks of sensitive information or malware infection. If legitimate, this generalized restriction systematically impacts communications and marketing teams, who legitimately use social networks. It is in this case that exemptions make it possible to adapt the company’s security policy to specific needs.
Another example of an exception concerns the management of administrator rights within an organization. Generally, employees do not have rights to administer their workstations. However, it may happen that in particular situations, the user needs administrator rights to install or update software. Here again, the exemption allows the rule to be adapted depending on the situation.
Please note that the exemptions are not limited only to the individual needs of users. They can also apply at a hierarchical level, such as a department or a department – the famous VIPs.
Using exemptions, is it obligatory?
Exemptions are not strictly obligatory, but it should be noted that certain regulations require them. From a risk management perspective, the lack of waiver management may be a sign that the company is not considering all potential scenarios and the specific needs of its users.
The latter, often creative in their needs, can find justifications not to comply with established policies – or even to circumvent the problem by using software tools not approved by the IT department. Good management of exemptions consists of asking the question “why” behind each exception request.
For Baptiste David, “in this scenario, the exemptions aim to distinguish legitimate needs from illegitimate needs, while ensuring the security of the company and avoiding unauthorized circumvention”. An increase in requests which requires companies to have a system for managing exemptions.
WHY SET UP A waiver management system?
Define a regulatory framework
An exemption management system makes it possible to:
- receive opening requests;
- keep a history of exchanges with the aim of strengthening transparency and everyone’s responsibility.
This centralization allows IT teams to monitor and take into account any changes to the company’s security policy.
Facilitate audits
By having a tool centralizing previous exemption requests, the company can demonstrate in a transparent and documented manner how it manages these exceptions.
When an auditor asks about waiver management, the company can provide tangible evidence of its waiver process, showing its commitment to compliance and security. Without this documentation, the company risks having to consolidate information, which can complicate and prolong the audit process while increasing the level of stress in teams.
Avoid sanctions
The absence of an exemption management system can have serious consequences for a company. In the event of an audit, the company risks being criticized for a lack of monitoring and documentation, which can lead to sanctions, such as fines or loss of certifications.
Remember that certification, like that of the ISO 27001 standard, has today become a guarantee of confidence and an imperative in the choice of a service provider. Losing this certification can harm the reputation of the company and compromise its ability to access contracts or even respond to calls for tenders.
How to set up an exemption management system with Tenacy?
Tenacy offers powerful features designed to simplify and optimize waiver management.
Implement an easy-to-use tool
With Tenacy, a user can submit an exception request per ticket, indicating the reasons and duration of this exception. The approver can then accept or reject the request, adding an expiration date. This transparent collaboration ensures that all stakeholders benefit from the same level of knowledge.
Organize follow-up
The Tenacy platform guarantees the monitoring and traceability of each exemption. This traceability includes the dates, the people involved, the objects of the exemption, and the period of validity. It is important to note that waivers are generally temporary, which means specifying an end date for each exception.
In order to correlate requests with the company security policy (PSSI), Tenacy allows these two elements to be linked to provide an overall vision allowing decision-making to accept or not the request.
Users can also add documents and comments to complete the tracking.
Measure performance
The use of performance indicators (KPIs) makes it possible to assess the overall effectiveness of the exemption management process. Number of exemptions processed, unprocessed, number of total exemptions, etc. Tenacy has performance indicators generated daily, providing essential information for management. To make sure you don’t forget anything, alerts and notifications remind users if an exemption is about to expire.
A platform that goes beyond waiver management
Just as choosing a CRM is not limited to taking notes on a company’s profile, the functional scope of the Tenacy platform goes far beyond the simple management of exemptions.
This platform offers a range of functionalities ranging from reporting to automation, with specific features such as the integration of a compliance catalog: this allows companies to precisely target the security policies that apply to their sector of activity.
In short
The use of exemptions is an essential element in risk management and the application of the security policy in the company. However, this cannot be done without the establishment of a reliable and effective exemption management system.
With Tenacy, waiver management becomes a seamless, seamless process in accordance with the most stringent compliance requirements. Do not hesitate to contact our experts to find out more!