Exception Register (Risk Acceptance)

Oct 14, 2025

Columns

Column	Purpose
Exception ID	e.g., `EX-2025-004`
Finding Ref	Link to item in SLA tracker
Severity	Critical / High / Medium / Low
Scope	Service / image / env affected
Justification	Why acceptance is necessary
Compensating Controls	WAF rule, feature flag, NetPol, monitoring
Owner	Person/team managing risk
Approver	Security approver
Expiry	YYYY-MM-DD (hard stop)
Status	Proposed / Approved / Expired / Revoked / Closed
Review Notes	Outcome of periodic review

Rule: expired = revoked unless explicitly renewed.

CSV seed

Exception ID,Finding Ref,Severity,Scope,Justification,Compensating Controls,Owner,Approver,Expiry,Status,Review Notes
EX-2025-004,SCA-2025-014,High,ship/app-prod,"Upgrade blocked by vendor","WAF block + NetPol egress limit",alice,sec-lead,2025-11-15,Approved,"Review weekly"

Exception Register (Risk Acceptance)

Columns

CSV seed

Ask AppSec: free security newsletter

Ask AppSec: free security newsletter