Assign controls as in progress or risk accepted
this quarter
J
Josh Brodbent
Currently, we have some legacy equipment that we allow to bypass conditional access as long as it is from within our network, and we will apply those exceptions to those policies. They are extremely limited in scope, and would make the client compliant in my opinion. We should be able to mark some of these controls as risk accepted, in progress, or complete with an asterisk, instead of it just auto-detecting based on the policy.
T
Tristan Bryant
Yes to this, BUT please add a section to the item for a note that we can fill with an explanation of WHAT that exception is. I cannot tell you how annoying it is to see "risk accepted" on a control, and then spend an hour trying to figure out HOW or WHERE it was accepted.
M
Mick Alford
I agree we shold have an option to mark some controls as risk accepted.
M
Matthew Chapman
I have a client who requires MFA with a custom policy that requires a passkey device. Being able to show which policy satisfies the condition would be very useful
K
Ken Weaverling
Thanks for posting this. This is one of my hesitations to signing up for the preview. Similar situation, I have a single special purpose login account (like an 80yo volunteer) that can only log in on a trusted network and can bypass MFA for that although I am working on converting these cases to passwordless FIDO2 keys though.
S
Scott Riley
marked this post as
this quarter
S
Scott Riley
marked this post as
future planned
S
Scott Riley
Hey Josh, definitely. We know that different clients have different quirks and so we have Exceptions / Exclusions as a roadmap item. I'll merge this suggestion into that item once I've got it listed here in the Feedback portal for us. Thanks for checking out ISPM and keep feeding back!