Access Control Policy Exception Procedure (SEC-PROC-003)
1. Purpose
To provide a formal process for requesting, reviewing, and documenting exceptions to the Access Control Policy password and authentication requirements.
2. Scope
This procedure applies to all personnel and systems within the organization when a deviation from the established Access Control Policy password and authentication requirements is required.
3. Overview
This procedure outlines the steps for submitting, evaluating, and documenting requests for exceptions to the company’s Access Control Policy password and authentication requirements. It ensures that any deviation is subject to a formal risk assessment and approval by the Security Officer, and that all approved exceptions are tracked.
4. Procedure
| Step | Who | What |
|---|---|---|
| 1 | User or System Owner | Submits a formal Access Control Policy Exception Request form, including a detailed justification and any proposed compensating controls. |
| 2 | Security Officer | Conducts a risk assessment of the request to evaluate potential security impacts and formally approves or denies the request in writing. |
| 3 | Security Officer | Documents all approved exceptions, including the justification, risk assessment, and expiration date, in a central tracking log. |
5. Standards Compliance
| Procedure Step(s) | Standard/Framework | Control Reference |
|---|---|---|
| 1-3 | SOC 2 Trust Services Criteria | CC6.8 - System Operations |
6. Artifact(s)
A completed and approved Access Control Policy Exception Request form.
7. Definitions
N/A
8. Responsibilities
| Role | Responsibility |
|---|---|
| User/System Owner | Initiates the exception request and provides all necessary information and justification. |
| Security Officer | Performs a risk assessment, makes the final decision on the exception request, and maintains all documentation. |