...
You should consider structuring your exceptions around the following:
| Anchor | ||||
|---|---|---|---|---|
|
http://security.utexas.edu/policies/irusp.html#section_5_19
- business case for exception
- physical controls for exception
- logical controls for exception
...
According to the Information Security Office (ISO), logical security controls would consist of implementing permissions, logging, and auditing mechanisms for access to unattended systems. For example, physical access of the "server room" should have an Access Control System in place to track who has access to a particular area, and logs when an individual has entered the controlled area.
Exception Form: https://security.utexas.edu/exception/
| Anchor | ||||
|---|---|---|---|---|
|
...