Since exceptions are tracked separately in each module, I’m wondering where others log their exceptions that are applicable to all modules.
Example: I have a risk of unsupported operating system, I could log the exception in the risk module that I have applications that do not support the latest OS version, or I could track this at the security policy stating that we must patch and keep our systems up-to-date. I could also track this at the control level for either a patch management or vulnerability management control, and finally, I could also track this at the compliance item, specifically thinking ISO (managing technical vulnerabilities). Ideally, I would track all exceptions in one module and then have the ability to map the exception within each module back to the parent, but my methodology has been to look at the highest level and apply the exception there. In this case that would be at the policy level. What are you guys doing?