That’s why we’re excited to launch Mondoo’s unified exceptions management that provides a formal process for documenting, approving, tracking, and reviewing exceptions for your entire IT infrastructure in one place.

Why do you need exceptions?

When vulnerabilities cannot be remediated right away, it’s important to be able to ‘switch off’ alerts for a specified time period, so teams can stay focused on what needs their immediate attention. For instance, valid reasons for setting an exception can be:

• Compensating controls or workarounds are already in place
• Updates are already planned within a short time frame
• Legacy applications that cannot run on updated operating systems
• Affected assets have required uptimes and can’t be rebooted
• The finding is a false positive or of low impact and should be ignored

Setting an exception means that the vulnerability still shows up, but it’s marked as an ‘exception’ and isn’t included in risk score calculations. An exception can be temporary (e.g., waiting for a scheduled update) or longer term (e.g., a legacy system scheduled for decommission). Although exceptions are important for day-to-day vulnerability management, it’s easy to see how they could lead to disastrous outcomes if not managed properly. That’s why a formal management process is needed.

What is Exceptions Management?

Exceptions management is the formal process of documenting, approving, tracking, and reviewing vulnerabilities that cannot be remediated within standard timelines. Having a formal review process ensures that exceptions are not ad-hoc decisions but properly documented, risk-assessed, time-limited, and approved by the appropriate stakeholders (e.g., system owners, risk management, business leaders).

This maintains accountability as operations scale, and ensures that exceptions are:

• Risk-assessed
• Justified
• Approved by the right stakeholders
• Bound by clear expiration dates
• Continuously monitored
• Well-documented

With proper exceptions management, exceptions are an element of risk governance, not a loophole. Without it, teams waste time investigating irrelevant issues and reports show compliance and security gaps that have already been resolved by workarounds.

Challenges of Exceptions Management

While most organizations invest in vulnerability scanners and patching tools, one area that is often underdeveloped is exceptions management. Yet, as we’ve seen above, exceptions management is the backbone of a mature, enterprise-grade vulnerability management program.

However, there are often several challenges when implementing exceptions: 

• No unified experience: Exceptions need to be set in each siloed security tool, even if they’re from the same vendor. This can cause duplicate work, conflicting settings, and confusion.
• Lack of automation: It’s important to receive automatic reminders about exceptions to be reviewed and those that are about to expire, otherwise it’s easy to lose track. Even if tools support exceptions, they don’t always include automation.
• No role based permissions: The roles of requester and approver should be separated so multiple stakeholders are involved in setting the exception.
• No audit trail: The auditor will be taking a close look at any exceptions on the system, so it’s very important to document reasons, requesters, approvers, and renewals, including the history of the exception.
• Lack of time bounds: It’s important to set time limits on exceptions to ensure that they get reviewed and are still valid.

How Mondoo delivers enterprise-ready exceptions management

Since the Mondoo platform covers your entire IT infrastructure, from cloud, on-prem, and endpoints, to network devices, SaaS platforms and the SDLC, this means you only need to set exceptions in one place. Mondoo’s automated review process ensures that each exception gets reviewed and approved by the appropriate stakeholders, and requesters are automatically notified when their exceptions are about to expire.

Key features of Mondoo’s Exceptions Management:

1. Centralized: All exceptions are managed from one central interface, avoiding duplication and possible conflicting exception settings.

2. Role based: Mondoo users need to have the Exceptions Requester role in order to submit exception requests and the Exceptions Reviewer role to approve them.

3. Flexible: Mondoo allows you to select from different exception types and specify the time frame that the exception should apply. For each exception, a justification must be entered, which is important when reviewing or auditing exceptions at a later stage. 

4. Visible: Exceptions should not be a way to hide problems. That’s why Mondoo clearly shows when an exception has been set for a finding.

5. Formal and automated process: Each exception requires approval from a user with Exceptions Reviewer permissions. This means that there are always multiple stakeholders involved in deciding where the case warrants an exception.

6. Notifications: It’s important not to lose track of expiring exceptions or those that require approval. This is why Mondoo will send automated reminders via email.

7. Auditable: Each exception can be reviewed in the Exceptions dashboard and includes detailed information on why and when the exception was requested, the time frame, the requester, approver, any extensions, and the current expiration date.

Conclusion

An enterprise-ready vulnerability management program is not one that patches everything. Instead, it should use a deep understanding of the risk landscape to make informed decisions, document reasons, and track and review accepted risk, enabling business operations securely and realistically. Although Exceptions Management may not be the first thing that comes to mind when selecting your vulnerability management platform, it might actually make the difference between ‘shelfware’ and a platform that teams actually use.

Want to learn more? Schedule a demo to see Mondoo in action.