Announcing the Security Exceptions program pack 1.0
09/21/2024
Introduction
Every company establishes processes to identify security vulnerabilities, prioritize them, develop solutions, and, in some cases, strategically accept risk either temporarily or permanently. Security exceptions are closely tied to vulnerability management and involve escalating risks to the appropriate decision-makers, who determine whether delaying a fix or accepting the risk without addressing it is the right strategic decision. This release provides a simplified, repeatable process for managing exceptions.
Security Exception Program Pack 1.0
Welcome to the Security Exception Program Pack. The goal of this release is to provide all the necessary resources to establish and set up a fully functioning security exceptions program at your company.
In this pack, we cover:
Security Exception Definitions: This document describes common terminology used in an exceptions process, outlines definitions for the various stakeholders participating in the process, as well as provides a stakeholder approval table for decision making.
Security Exception Reporting Requirements: This document describes the minimal information needed in a vulnerability report to support evaluation and prioritization. It also includes examples of automation that can be used to report vulnerability remediation expectations to risk owners.
Security Exception Preparation Checklist: This checklist provides a step-by-step guide to researching, piloting, testing, and rolling out security exception tracking at your company. It also discusses examples of automation for tracking exception ticket health and oversight.
Security Exception Process Diagram: This diagram outlines the various steps to perform when security exceptions need to be filed, have entered the review queue, and reporting and health automation runs.
Security Exception Runbooks: This document outlines a set of standard procedures for handling a security exception. This outlines steps for the Risk Owner, Risk Approver, and supporting security staff (subject matter experts) to facilitate consistent approachs for handling/supporting exception requests.
Security Exception document template and tracker: The security exception template can be used in a word document for capturing exception details, and the Exception tracker can be used when a bug tracker is not used.
Security Exception Metrics: This document outlines common, baseline metrics for managing security exceptions at your company.
Download on Github:
https://github.com/securitytemplates/sectemplates/tree/main/security-exceptions/v1
Previous releases
Vulnerability Management Program pack 1.0
The goal of this release is to provide you with everything you need to establish a bug bounty program. This includes alignment with stakeholders, working with a vendor, establishing a private bug bounty, and ultimately moving to a public bug bounty. This release pack is not sponsored or influenced by any particular bug bounty vendor and is neutral to vendor biases and influence.
Download on GitHub: https://github.com/securitytemplates/sectemplates/tree/main/vulnerability-management/v1
Bug bounty Program pack 1.0
The goal of this release is to provide you with everything you need to establish a bug bounty program. This includes alignment with stakeholders, working with a vendor, establishing a private bug bounty, and ultimately moving to a public bug bounty. This release pack is not sponsored or influenced by any particular bug bounty vendor and is neutral to vendor biases and influence.
Download on GitHub: https://github.com/securitytemplates/sectemplates/tree/main/bug-bounty/v1
About SecTemplates.com
To provide simplified, free, and usable open-source templates to enable engineering and smaller security teams to bootstrap security capabilities in their organizations.
Comments
You can follow this conversation by subscribing to the comment feed for this post.