Exceptions to our defined IT controls are managed in what we call an 'exception library'.
- This library lists the specific exceptions associated with specific work requests that have been requested, their status in the approval process and the effective dates of these approvals and lastly which specific IT controls they apply to.
- Exceptions are individually identified and these identificaitons are referenced within the various work requests where the exceptions are utilized for traceability purposes.
- The exception library is available for 'read access' to all associates that they may check the status of requests as well as which are valid or not.
Recently a risk manager questioned whether these exceptions should be made public (even if only to company associates). The rationale was that since the individual exceptions are made public, that anyone could access a valid excption and reference it on any work requests.
I've not found anything in the public domain specific to similar exception libraries or what others think with respect to whether these should be made available to all applicable associates, a subset of associates involved with the specific work activities exceptions have been granted to, or only to those associates involved with IT Governance.
I'm looking for your thoughts and/or experiences with control exceptions and the awareness/communication of these exceptions. Thanks!
You must sign in to rate content.