Exception management in Container Vulnerability Response
Summarize
Summary of Exception Management in Container Vulnerability Response
Exception management in Container Vulnerability Response allows organizations to request exceptions for container vulnerable items (CVITs) that cannot be remediated according to established security policies. This process involves requesting, reviewing, approving, or rejecting exceptions, acknowledging the risks associated with not addressing specific vulnerabilities.
Show less
Key Features
- Exception Definition: An exception permits deferral of CVIT remediation for a specified period, typically when no patch is available.
- Requesting Exceptions: Remediation owners can request exceptions through the exception management process, moving the CVIT to a Deferred state upon approval.
- Approval Process: Exception requests are reviewed by vulnerability analysts and may require a two-level approval workflow, with specific roles determining request eligibility.
- Tracking: The status of exception requests can be monitored through the State Change Approvals tab associated with each CVIT.
- Expiry Management: Expired exceptions revert CVITs to the Open state, unless they pass in subsequent scans, in which case they are marked as Closed with a Fixed substate.
- Approval Rules Configuration: Users can view and modify approval rules for exceptions and false positives via the administration settings in the system.
Key Outcomes
By implementing exception management, ServiceNow customers can efficiently manage container vulnerabilities, ensuring that necessary exceptions are formally documented and approved, while also tracking their status. This process enables organizations to maintain compliance with security policies, even when immediate remediation is not feasible, thus facilitating better risk management and operational continuity.
When your organization can't comply with a published vulnerability management or security policy, standard, or guideline, you can request an exception. Exception management entails requesting, reviewing, approving, or rejecting exceptions to an container vulnerable item (CVIT) that cannot be remediated according to the policy.
Some container vulnerabilities (CVIT) might not have an existing patch, fix, or solution. When an exception is approved, it also means that you're accepting a risk because you're acknowledging and agreeing to the consequences of not remediating the vulnerability.
Life cycle of an exception
- Definition of an exception
- An exception is a request to defer the remediation of a CVIT or RT for a specified period. For example, as a remediation owner, you can request an exception if a patch is not available for a machine.
- Requesting an exception
- As the remediation owner, you can ask for an exemption for a CVIT or RT using the exception management process. After the exception approver approves this request, the CVIT or RT moves to a Deferred state.
- Approving an exception request
- CVIT or RTs that can't be remediated immediately are reviewed by vulnerability analysts, assessed for risk, and approved for deferral until they can be remediated. Approving an exception request can be a two-level workflow. If only the first-level approver is present, the exception can be requested and approved. However, if there's no first-level approver, an exception can't be requested. See Add an exception approver for more information.
Starting from Vulnerability Response v15.0, if you are deploying the VR application for the first time, the flow designer for exception management is enabled by default. If you are already using the workflow, you can update to the flow designer. In both cases, you cannot change it back to workflow. To configure approval rules for exception management and false positive, see Configure approval rules for Exception Management.
- Reopen
- Delete
- Update the Assignment to or Assignment groups fields
- Tracking an exception request
- After raising the exception, you can track its status by using the State Change Approvals tab of the CVIT or RT. If an action is taken on an RT, you can't track the status of the individual CVITs in that RT.
- Expiry of an exception request
- When an exception request for a particular CVIT or RT expires, the impacted CVIT or RT reverts to its Open state.
If a single CVIT or all the CVITs in a RT pass in the next scan, then the CVITs and, where applicable, the RT State field changes to Closed with the substate Fixed.
Configure approval rules
View and configure approval rules by navigating to . Request an exception for the CVITs that cannot be remediated or deferred immediately, by identifying the impacted vulnerabilities, configuration items (CIs), or CVITs. Automate the CVIT deferral process. Defer the matching CVITs based on these rules when the system identifies these CVITs.- Approval for Exception Requests: A default configuration with two approval levels is provided in the base system. Whenever there is an exception request on a vulnerable item, the approval request is sent to the users or groups
present in level 1. Once approved by level 1 approvers, it is sent to the level 2 approvers.Note:You can change the default levels and edit as required. Starting from Container Vulnerability Response v2.0.6, you can use the system properties provided in the base system for exception approvals via workflow in the System Properties [sys_properties] table. So, when an exception or false positive request is raised via workflow, it’s sent for approval to the group IDs defined in the system property. Navigate to and select sn_vul_container.container_exception_approver_L1, sn_vul_container.container_exception_approver_L2, or sn_vul_container.container_false_positive_approver_group to change the property value.
- Approval for Exception Rules: It does not have configuration but two approval levels.
- Approval for False Positives: It has one configuration with one approval level.