Vulnerability Management Exception Procedure (SEC-PROC-009)

1. Purpose

To outline the process for formally requesting, approving, and documenting an exception to a remediation Service Level Agreement (SLA) for an identified vulnerability.

2. Scope

This procedure applies when an asset owner cannot remediate a vulnerability within the timeframe defined in the Vulnerability Management Policy and requires a formal exception.

3. Overview

This procedure provides a streamlined pathway for managing situations where immediate vulnerability remediation is not feasible. It details the steps for an asset owner to request an exception, the simplified approval workflow, and the requirement to document approved exceptions in the risk register for regular review.

4. Procedure

Step	Who	What
1	Asset Owner	Submits a formal Exception Request Form, including a detailed justification, risk analysis, and any compensating controls in place.
2	Security Lead (e.g., CTO or IT Manager)	Reviews the request for business validity and security implications, then provides final approval or denial.
3	Security Lead	Documents the approved exception, including its expiration date, in the risk register.
4	Security Lead	Reviews all active exceptions on a quarterly basis to ensure they are still valid and necessary.

5. Standards Compliance

Procedure Step(s)	Standard/Framework	Control Reference
1-6	SOC 2 Trust Services Criteria	CC7.1 - Risk Mitigation

6. Artifact(s)

A completed and approved Exception Request Form documented in the risk register.

7. Definitions

Security Lead: A designated individual responsible for security oversight, typically the CTO or IT Manager in a small organization.

8. Responsibilities

Role	Responsibility
Asset Owner	Initiates the exception request and provides all necessary justification and documentation.
Security Lead (e.g., CTO or IT Manager)	Provides approval for exception requests and ensures proper documentation in the risk register. Conducts quarterly reviews of all active exceptions.