No Exceptions.

What is the nature of rules? Must they be strictly adhered to or can they be flexible?

I recently went to rent a jet ski. After a long drive, people bailing out, technical issues with the trailer, and an impromptu splice and fix of the wiring harness… we finally made it to the lake, with just under 2 hours of sunlight left!

We get to the gate and the attendant asked… “Do you have a reservation?”.

We replied with a disheartening and anxious… “No.”

You can imagine my son’s disappointment.

I’ll get to what happened after at the end.


In the world of Information Security… the question you might be asked by the security team of your enterprise customer:

“Are you SOC2 compliant?”

Where you might reply with a disheartening and anxious… “No.”

Here is where the asking security team, or park ranger as above, can make a decision on whether to strictly adhere to their requirements for SOC2 compliance or make a calculated decision on a case by case basis.

Of course it’s easier to just say no and hide behind strict compliance.

Some companies will do business with 3rd party service providers only if they are SOC2 compliant. No exceptions.

IMHO, this is not sustainable. Many providers, including some relative big startups, have not achieved SOC2 yet.

An Exception Process

If you want to be a successful and collaborative security team, I recommend creating a robust exception process.

It shouldn’t be terribly easy, but it shouldn’t be impossible either.

Responsibility is on the requesting party to show they have compensating controls, a technical workaround, or a temporary waiver to get what they need in place. Having them understand the problem is extremely helpful for all of the above.

This is a tool in your toolset for security enablement.

Some other components to consider:

  • Expiration dates for exceptions (Tip: put in a separate ticket to track)

  • Documentation and detailed narrative behind the exception with the responsible party/group attached. Why the exception is required and impact to security.


Back to the Jet Ski story…

When speaking to the attendant I mentioned to him that I have all the necessary paperwork for the pre-launch inspection. I also mentioned how the jet ski was clean and dry, and the drain plugs were out.

The point here is that I took the effort to:

  • Speak their language

  • Make their job (and decision) easier

After hearing all this, the attendant said he’ll speak to the Park Ranger to seek an exception.

There was hope.

The Park Ranger heard our case and we were approved!!

Another individual that didn’t have a reservation, but also didn’t have their registration either, got denied.

With about an hour or so left in the day, my son and I were elated at the opportunity to get wet, even for just a little bit.

Happy 4th of July! Stay Safe!

Ayman