How to deal with Application Security Policy Exceptions
karthikaravind
Member Posts: 6 ■□□□□□□□□□
in CISM
This question is not related to CISA/CISM certification, but an CISA/CISM expert could answer this and so posting this here
We have defined Application Security Baseline and expect existing/new applications to follow the baseline. Recently one of the newly developed application doesnt follow a few of the security baselines.
Another day, a different website might be developed and that one might violate different policies in the baseline.
Development team might or might not fulfill the baseline requirements and in such cases How to deal with such exceptions ?
suggestions needed as an Information Security point of view - Should we document such exceptions and allow the website to operate ? should we accept the risk involved ?
Could some one share thoughts on this ?
We have defined Application Security Baseline and expect existing/new applications to follow the baseline. Recently one of the newly developed application doesnt follow a few of the security baselines.
Another day, a different website might be developed and that one might violate different policies in the baseline.
Development team might or might not fulfill the baseline requirements and in such cases How to deal with such exceptions ?
suggestions needed as an Information Security point of view - Should we document such exceptions and allow the website to operate ? should we accept the risk involved ?
Could some one share thoughts on this ?
Comments
-
cyberguypr Mod Posts: 6,928 ModI don't think anyone here can answer this. It's up to every company and its officials to determine what level of risk they are willing to accept. Ideally web apps would go through a structured threat risk modeling exercise, assessments and whatnot. At the end of the day the ISO, CISO, or some other management peep must make a decision on risk acceptance and be ready to accept the consequences for that decision.
-
soccarplayer29 Member Posts: 230 ■■■□□□□□□□I agree with cyberguy. It depends on the organization. And yes, I would document deviations from the baseline and do analysis to see if those deviations increase the risk to the organization and provide the analysis to management for their review of the risks and next actions (remediations, decommissioning, acceptance, etc.)
A couple other considerations:
Are the defined "application security baselines" required?
Are the developers aware of the baselines?
Can changes to the application be made to align with the baselines?
How important is the application to the business?
What does the application do (i.e., is it just for internal uses, is it an ecommerce site, does it collect personal information or credentials, etc.)?Certs: CISSP, CISA, PMP -
Mike7 Member Posts: 1,112 ■■■■□□□□□□Agree with both above.
Still new to the ISACA way, so...
Conduct risk assessment to evaluate the impact of violating baseline.
Suggest/implement mitigating, detective and compensating controls.
Document violation down.
Understand the business risk appetite.
Is the risk minimized to an acceptable level?
Advise business owner accordingly.
Allow web site to operate. Business always wins.
Choose the "best of..." depending on your role.
So are you the auditor, business owner, security manager or just a concerned stakeholder? -
636-555-3226 Member Posts: 975 ■■■■■□□□□□Agreed with Mikey Mike7 above me. I'll add that the Policy should list any exception to the baseline be reviewed & approved by Person X. You don't get to decide if application should keep going or gets stopped. Developers don't get to decide if app should keep going or gets stopped. Person X decides. Maybe you'll do a risk assessment to see the pros/cons of the exception, maybe you won't. Again, Person X decides.