Password Policy Exception Procedure (SEC-PROC-003)
1. Purpose
To provide a formal process for requesting, reviewing, and documenting exceptions to the Password Policy.
2. Scope
This procedure applies to all personnel and systems within the organization when a deviation from the established Password Policy is required.
3. Overview
This procedure outlines the steps for submitting, evaluating, and documenting requests for exceptions to the company’s Password Policy. It ensures that any deviation is subject to a formal risk assessment and approval by the Security Officer, and that all approved exceptions are tracked.
4. Procedure
| Step | Who | What |
|---|---|---|
| 1 | User or System Owner | Submits a formal Password Policy Exception Request form, including a detailed justification and any proposed compensating controls. |
| 2 | Security Officer | Conducts a risk assessment of the request to evaluate potential security impacts and formally approves or denies the request in writing. |
| 3 | Security Officer | Documents all approved exceptions, including the justification, risk assessment, and expiration date, in a central tracking log. |
5. Standards Compliance
| Procedure Step(s) | Standard/Framework | Control Reference |
|---|---|---|
| 1-3 | SOC 2 | CC6.1 |
| 1-3 | HIPAA/HITECH | 45 CFR § 164.308(a)(5)(ii)(D) |
6. Artifact(s)
A completed and approved Password Policy Exception Request form.
7. Definitions
N/A
8. Responsibilities
| Role | Responsibility |
|---|---|
| User/System Owner | Initiates the exception request and provides all necessary information and justification. |
| Security Officer | Performs a risk assessment, makes the final decision on the exception request, and maintains all documentation. |