This article describes best practices when working with rule exemptions. Learn about rule exemptions in the Cortex docs.
Define roles and choose approvers
To effectively manage Scorecard rule exemptions in Cortex, it's crucial to define clear roles and permissions. Only Admins or users with a custom role containing the "Configure Scorecard exemptions" permission can approve, deny, or revoke exemptions.
Take action:
- Consider creating custom roles to delegate exemption management to appropriate team members, such as Scorecard owners or team leads. This approach helps reduce bottlenecks and empowers teams to manage their own compliance.
- When creating a Scorecard, turn on the toggle for Enable user-specific notifications setting to configure rule exemption notifications to be sent to specific users. When a user requests an exemption, they will be given the option to specify which approvers should be notified.
Transparency and efficiency in exemption management
Admins can view all exemption requests and their statuses in Settings > Scorecards > Rule exemptions. This allows stakeholders to track and monitor the progress of requests.
Take action: Streamline the approval process by enabling notifications for rule exemption requests. This will ensure timely processing of exemptions and maintain overall transparency.
Communicating and enforcing policy
Establish and document clear ground rules for the exemption process. Communicate these rules effectively to all users who may request or approve exemptions. This ensures consistency and fairness in how exemptions are handled across the organization. Regularly review and update the policy as needed to address any emerging challenges or changes in organizational requirements.
Some policies you might include:
- Require clear, documented justification for each exemption request. This practice helps reviewers make informed decisions and provides an audit trail for future reference. Proper documentation ensures that exemptions are granted based on valid reasons and can be reviewed or reassessed as needed.
- Differentiate between permanent and time-bound exemptions to ensure appropriate handling of various scenarios. Use permanent exemptions only when there is no expectation that the entity will ever comply with the rule. For temporary situations, such as ongoing initiatives or technical debt being addressed, use time-bound exemptions with appropriate expiration dates. This approach ensures that exemptions are revisited and do not become permanent by default.
- Set best practices at your organization around the number of days that the rule is exempted. For low priority rules, you might allow a longer time period. For security-related, higher-priority rules, you might set shorter durations.
- You might want to set a policy that each team at your organization handles their own team's exemptions.