Skip to content
TruthVouch Docs

Policy Exception Workflow

Sometimes policies need exceptions for business reasons. Request exception with justification, get manager approval, and set expiry date. Exceptions are time-limited and fully audited.

Requesting Exception

  1. Go to CompliancePolicies → [Policy] → Request Exception
  2. Fill:
    • Specific Deviation: What part of policy doesn’t apply? (e.g., “User X needs access without MFA”)
    • Business Justification: Why is this needed? (e.g., “Legacy system requires password-only auth”)
    • Duration: When does exception expire? (e.g., “Until March 31, 2025 when system upgraded”)
    • Scope: Who/what does this apply to? (e.g., “User: john.doe@company.com” or “Legacy system server”)
    • Approver: Who approves? (e.g., “Security Lead” or “CISO”)
  3. Submit

Exception enters approval queue.

Approval Workflow

Approval Stage

  1. Approver notified: “Exception requested for Data Protection Policy”
  2. Reviews:
    • Exception details
    • Justification
    • Expiry date
    • Risk assessment
  3. Decides:
    • Approve: Grants exception for specified duration
    • Approve with conditions: Exception granted + specific requirements
    • Reject: Denies exception with feedback

Approval Example

Policy: PII Handling
Exception Requested: Employee needs to store customer SSN locally (normally prohibited)
Justification: Legacy customer database requires local copy for weekend batch processing
Duration: Until June 30, 2025 (when cloud migration complete)
User: data-team@company.com


Approval Decision: APPROVED WITH CONDITIONS
Conditions:
  1. Data stored on encrypted drive only
  2. Automatic purge after each batch run
  3. Weekly audit of access logs
  4. Exception reviewed monthly
  5. Must upgrade to cloud solution by June 30

Exception Lifecycle

Requested (Mar 1) → Under Review → Approved (Mar 5) → Active (Mar 5-Jun 30) → Expired (Jul 1)

After expiry:

  • Exception automatically deactivated
  • Policy normal rules apply again
  • Owner can request renewal if needed

Exception Dashboard

CompliancePoliciesExceptions shows:

ACTIVE EXCEPTIONS (2)
├── PII Local Storage
│   User: data-team@company.com
│   Expires: Jun 30, 2025 (108 days)
│   Approved by: Sarah (CISO)
│   Conditions: 3 (review monthly)
└── Multi-Factor Auth Bypass
    User: legacy-system-account
    Expires: Aug 15, 2025 (152 days)
    Approved by: John (Security Lead)
    Conditions: 2


PENDING EXCEPTIONS (1)
└── Credit Card Storage
    User: finance-team@company.com
    Requested: Mar 13
    Status: Awaiting CTO approval
    Duration: 30 days (if approved)


EXPIRED EXCEPTIONS (5)
└── Old system access (expired Mar 1)

Compliance Impact

Exceptions are tracked in compliance audits:

Policy: PII Handling
Coverage: 99 users + 1 exception
  ✓ 99 users follow policy
  ⚠ 1 user has approved exception (expires Jun 30, 2025)


Status: COMPLIANT (with documented exception)

Approvals and documentation prove compliance even with exceptions.

Best Practices

  1. Time-Limit All Exceptions: Never permanent (“forever” exceptions)
  2. Document Justification: Clearly explain why exception needed
  3. Conditions: Specify compensating controls
  4. Review Regularly: Re-approve periodically to ensure still necessary
  5. Audit Access: Monitor exception users extra carefully
  6. Plan Remediation: Exception should include plan to eliminate need