Extended Slovník

Waiver

A cybersecurity waiver is a formal, documented agreement by an authorized party to temporarily or permanently exempt a system, process, or control from a specific security policy, standard, or requirement, often due to technical infeasibility or business necessity, with an associated acceptance of residual risk.

What is a waiver in cybersecurity?

In the realm of cybersecurity, a waiver represents a critical governance mechanism that allows an organization to formally deviate from established security policies, standards, or controls. This deviation is not an arbitrary disregard for security but rather a deliberate, documented decision made when strict adherence is impractical, technically infeasible, or poses an undue burden on business operations.

A waiver is granted only when the associated risks are thoroughly understood and formally accepted by appropriate management levels. It serves as a bridge between the ideal security posture and the operational realities that organizations face daily. Key elements of a waiver include:

  • Formal request outlining the specific policy or control being exempted
  • Justification explaining why compliance cannot be achieved
  • Risk assessment detailing the potential impact and likelihood of associated threats
  • Compensating controls to mitigate residual risk
  • Approval from authorized stakeholders such as the CISO, risk management, or legal teams
  • Defined expiration or review date to ensure the waiver does not persist indefinitely

Organizations following frameworks like NIST SP 800-53, ISO/IEC 27001, and COBIT often incorporate waiver processes as part of their information security management systems.

Why are cybersecurity waivers necessary?

Cybersecurity waivers exist because no organization operates in a perfect environment. There are several scenarios where waivers become necessary:

  • Technical infeasibility: Legacy systems or specialized hardware may not support modern security controls such as the latest encryption protocols or patching requirements.
  • Business continuity: Implementing a specific control could disrupt critical operations, causing greater organizational harm than the risk being mitigated.
  • Cost constraints: The cost of implementing a control may far exceed the value of the risk reduction it provides, making it disproportionate.
  • Time-sensitive deployments: Business units may need to rapidly deploy applications or services where full compliance cannot be achieved within the required timeline.
  • Third-party dependencies: Vendor products or cloud services may not allow the organization to enforce certain internal security standards.

Without a structured waiver process, organizations risk either enforcing policies rigidly—potentially hindering operations—or allowing ad hoc, undocumented exceptions that create hidden vulnerabilities. Waivers formalize risk acceptance and ensure accountability.

How to write a cybersecurity waiver request?

A well-structured cybersecurity waiver request should provide all necessary information for decision-makers to evaluate the risk and make an informed judgment. According to best practices from organizations like the SANS Institute and ISACA, a waiver request should include the following components:

  1. Requestor information: Name, department, role, and contact details of the person or team submitting the request.
  2. Scope of the waiver: Clearly identify the specific policy, standard, or control requirement from which an exemption is sought, and the systems, applications, or processes affected.
  3. Justification: Provide a detailed explanation of why compliance cannot be achieved. Include technical evidence, business rationale, or third-party limitations.
  4. Risk assessment: Document the potential threats, vulnerabilities, and impact if the control is not implemented. Include likelihood and severity ratings consistent with the organization's risk framework.
  5. Compensating controls: Describe alternative measures that will be implemented to reduce the residual risk. For example, if a system cannot be patched, network segmentation and enhanced monitoring via IDS/IPS may serve as compensating controls.
  6. Residual risk statement: Clearly articulate the level of risk that remains after compensating controls are applied.
  7. Duration and review schedule: Specify whether the waiver is time-bound or permanent, and define a review cadence to reassess the waiver's necessity.
  8. Remediation plan: If the waiver is temporary, outline the plan and timeline to achieve full compliance.
  9. Approval chain: Identify the stakeholders required to approve the waiver (e.g., CISO, CTO, risk management committee, legal).

When should a cybersecurity waiver be granted?

A cybersecurity waiver should only be granted when specific conditions are met to ensure the organization does not expose itself to unacceptable risk. Appropriate circumstances include:

  • Risk is understood and documented: The associated risks have been thoroughly assessed and the residual risk is clearly defined.
  • Compensating controls are in place: Alternative security measures have been identified and implemented to reduce risk to an acceptable level.
  • Business justification is valid: There is a clear, defensible reason why compliance cannot be achieved within the current operational or technical constraints.
  • Executive risk acceptance: An authorized individual with the appropriate level of authority has formally accepted the residual risk on behalf of the organization.
  • Review mechanisms exist: The waiver includes a defined expiration date or periodic review schedule to prevent it from becoming a permanent, unchecked exception.

Example: A critical legacy system cannot be updated with the latest security patch without risking system instability. In this case, a waiver may be granted to bypass the patching requirement, provided compensating controls—such as network segmentation, intrusion detection/prevention systems (IDS/IPS), and enhanced logging—are put in place and actively monitored.

Example: A business unit needs to quickly launch a new application with a configuration that temporarily does not meet a strict data encryption standard. A time-bound waiver is approved with a concrete plan to implement full encryption within a defined period, typically 90 days or less.

Waivers should not be granted when the residual risk exceeds the organization's risk appetite, when compensating controls are insufficient, or when the waiver would violate regulatory or legal obligations.

Which controls can be waived in cybersecurity?

In principle, almost any security control can be subject to a waiver, but the decision must be made with careful consideration of the associated risk. Common categories of controls that organizations may waive include:

  • Patch management: Deferring security patches on systems where updates could cause instability or downtime, particularly for legacy or operational technology (OT) environments.
  • Encryption standards: Temporary exemptions from data-at-rest or data-in-transit encryption requirements for specific systems or applications.
  • Access control policies: Exceptions to multi-factor authentication (MFA) requirements or least-privilege access models for certain legacy systems or business-critical workflows.
  • Password complexity and rotation: Relaxing password policies for service accounts or systems that cannot support modern authentication standards.
  • Network segmentation: Allowing temporary deviations from network isolation requirements during system migrations or integrations.
  • Vulnerability scanning and remediation timelines: Extending the timeframe for remediating identified vulnerabilities when immediate remediation is not feasible.
  • Logging and monitoring: Reducing logging requirements for specific low-risk systems due to storage or performance limitations.

However, certain controls are generally considered non-waivable because the associated risks are too severe. These include controls mandated by legal or regulatory requirements (e.g., GDPR, HIPAA, PCI DSS), controls protecting critical infrastructure, and controls that, if absent, would leave the organization exposed to catastrophic breaches.

Effective waiver management, as recommended by frameworks such as NIST SP 800-53 and ISO/IEC 27001, requires maintaining a centralized waiver registry, conducting regular reviews, and ensuring that all waivers align with the organization's overall risk management strategy and compliance obligations.

← Back to Glossary