9
Security-sensitive items under governance review
Security Governance
Keep security exceptions visible enough that they do not turn into normal operating drift.
The security review surface is now route-native in `apps/web`, keeping privileged access, policy deviations, and exception deadlines visible inside the production app shell.
2
Items needing review or closure inside 7 days
14
Admin or elevated grants in current review cycle
30 days
Standard exception review cadence
Security Exception Register
Exceptions should be explicit, time-bounded, justified, and reviewable.
| Exception | Reason | Review Date | Owner / Required Action |
|---|---|---|---|
| Temporary admin for reporting service account | Needed for data refresh troubleshooting during source migration | May 06 | Reporting owner / remove or renew with evidence |
| MFA exception for one field device workflow | Legacy operational process not yet moved to compliant pattern | May 11 | Service owner / provide remediation timeline |
| Vendor diagnostic access to remote access platform | Needed for active incident evidence and remediation support | May 02 | Infrastructure lead / close immediately after bridge ends |
| External Teams sharing approval exception | Short-term collaboration need with named business sponsor | May 15 | Collaboration owner / confirm expiration and access list |
Privileged Access Review
Elevated access should be reviewed like live operational risk, not passive paperwork.
Infrastructure Admin
7 active grants across remote access, endpoint, and server tools.
2 due this week
Web / Publish Admin
3 active grants for scheduled publishing and emergency rollback coverage.
All time-bounded
Data / Reporting Elevated Access
2 temporary admin cases tied to migration and troubleshooting work.
1 exception-linked
Vendor Diagnostic Access
2 external elevated grants connected to contract-backed support cases.
Urgent review