Skip to main content

Web Application / Scanning /Penetration Testing

Responsible Person: prasad.l@in.abb.com

As per our CIO and CEO, part of the “license to operate”, and that as per Group IS Governance Policy instructions issued by Group Information Security are mandatory.

This can only be waived if you have a sufficient level of secondary controls that would minimize the risk of exploitation, typically segregated environments where an exploit wouldn’t come through.

So, if you deem that you have such controls in place and you can summarize them, this might qualify for an exception as per the:

To avoid wrong expectations: This is not just a nominal process, but the Information Security Exception Standard section 

2.4.2 An exception request must be finally approved only after receiving confirmation that the agreed compensating controls are implemented.

and Information Security and Cyber Security Exception Policy states in sections 2.1.2 and 2.1.4:

2.1.2 Exceptions must be formally requested, assessed for risks, and approved or rejected by a designated authority in a timely manner.

2.1.4 Exceptions are granted

2.1.4.1 for a limited, specific period of time and/or scope, and

2.1.4.2 upon a valid business justification and

2.1.4.3 considering the risk for ABB and ABB customers.

As you can see, this is not as simple as just requesting an exception and it will be granted, it will require documentation and going thru different levels of approvals, which might require more efforts than just remediating the security gaps.