Exceptions & Gaps
Risk & AssuranceExceptions & Gaps is SecureHive’s unified issue tracking system — a single place to document, assign, and resolve security exceptions, control gaps, compliance findings, and operational issues across every module. Whether an issue originates from an audit finding, a risk assessment, a policy violation, a vendor assessment, or an application security scan, it is tracked here with consistent severity classification, ownership, and workflow automation.
Exceptions & Gaps connects to Risk Posture (risk-related issues), Policy Controls (policy enforcement issues), Audit Management (audit findings), Third-Party Exposure (vendor assessment issues), Incident Command (incident-linked issues), and the shared workflow engine for automated issue resolution.
Issue overview
Navigate to Exceptions & Gaps → Issues to view all issues across your organization. The issues dashboard shows open items grouped by severity and status, with filtering by type, module, assignee, and due date.
Each issue captures a title, detailed description, root cause analysis, business impact assessment, remediation recommendation, and supporting evidence. Issues also track remediation actions as structured entries documenting the steps taken to resolve the problem.
Issue classification
Issues are classified along three dimensions — type, severity, and status — providing consistent categorization regardless of where the issue originated.
Issue types
| Type | Description |
|---|---|
| Operational | Issues affecting day-to-day security operations and processes |
| Technical | Technical vulnerabilities, misconfigurations, or system deficiencies |
| Compliance | Deviations from regulatory requirements or compliance obligations |
| Security | Direct security threats, weaknesses, or control failures |
| Improvement | Opportunities to enhance the security posture proactively |
Issue severity
| Severity | Description |
|---|---|
| Critical | Immediate threat requiring urgent remediation |
| High | Significant risk that should be addressed promptly |
| Medium | Moderate risk with a reasonable remediation timeline (default) |
| Low | Minor issue that can be addressed during normal operations |
Issue status
Issues follow a defined lifecycle from creation through resolution:
| Status | Description |
|---|---|
| Open | Newly created, awaiting triage or assignment (default) |
| In Progress | Actively being worked on by the assigned owner |
| Resolved | Remediation complete, pending verification or closure |
| Closed | Fully resolved and verified — no further action needed |
| Accepted | Risk accepted with documented justification — no remediation planned |
| Cancelled | Issue withdrawn or determined to be invalid |
The typical flow is Open → In Progress → Resolved → Closed. Issues that represent acceptable risks can move directly to Accepted with appropriate justification and approval.
Cross-module integration
One of the most powerful aspects of Exceptions & Gaps is its ability to track issues that originate from any SecureHive module. Issues use a polymorphic subject system — each issue records both a subject type and a subject ID, linking it back to the specific entity that surfaced the problem.
Subject types
Issues can be raised against any of the following sources:
| Subject Type | Source Module | Description |
|---|---|---|
| Control Test | Audit | Control test that identified a deficiency |
| Control Test Assignment | Audit | Specific test assignment that surfaced a gap |
| Finding | Audit | Formal audit finding requiring remediation |
| Risk | Risk Posture | Registered risk requiring issue-level tracking |
| Policy | Policy Controls | Policy that needs enforcement attention |
| Policy Enforcement | Policy Controls | Specific enforcement action that surfaced an issue |
| Audit Instance | Audit | Audit engagement with identified issues |
| Vendor Profile | Third-Party Exposure | Vendor with identified risk concerns |
| Vendor Assessment | Third-Party Exposure | Vendor assessment that surfaced findings |
| Standalone | — | Issue created independently, not linked to a specific source |
In addition to the polymorphic subject reference, issues maintain direct foreign-key links to specific entities (risks, findings, vendor assessments, policy enforcements, maturity capability assessments, and Azure AD applications) for fast querying and navigation.
Application security sources
Issues can also originate from application security tools, tracked through the source field:
| Source | Description |
|---|---|
| Threat Model | Findings from threat modeling exercises |
| SAST | Static application security testing results |
| DAST | Dynamic application security testing results |
| SCA | Software composition analysis findings |
| Pen Test | Penetration testing discoveries |
| Incident | Issues surfaced during incident investigation |
| Manual | Manually created issues |
When an issue originates from an AppSec source, it can be linked to a specific application for tracking remediation across the application portfolio.
Creating an issue
Navigate to Exceptions & Gaps
Go to Exceptions & Gaps → Issues and click New Issue, or create an issue directly from within the source module (e.g., from an audit finding or a risk detail page).
Classify the issue
Select the issue type (Operational, Technical, Compliance, Security, or Improvement) and set the severity level. The module field is automatically populated when the issue is created from within another module.
Document the details
Enter a descriptive title and detailed description. Fill in the root cause analysis, impact assessment, and remediation recommendation fields to provide the full picture for whoever will be working on the issue.
Assign ownership
Select an assignee who will be responsible for resolving the issue. Set a due date for the expected resolution.
Attach evidence
Upload supporting files — screenshots, scan reports, policy documents, or any other evidence that substantiates the issue. Each attachment records the file name, size, type, URL, and the user who uploaded it.
Submit or assign a workflow
For straightforward issues, move them directly to In Progress. For issues requiring formal approval or routing, assign a workflow template that automates the review and resolution process.
Comments and collaboration
Issues support threaded comments for discussion and collaboration. Each comment records the author, timestamp, and content.
Comments can be marked as internal — internal comments are visible only to administrators and are hidden from general users. This is useful for sensitive discussions about issue severity, business impact, or resolution strategy that should not be broadly visible.
Attachments
Issues support file attachments for evidence and documentation. Each attachment records the file name, file size, file type, file URL, and the user who uploaded it. Use attachments to provide supporting evidence such as scan reports, screenshots, policy documents, and remediation plans.
Incident linking
Issues can be linked to security incidents tracked in Incident Command. This connection establishes traceability between an incident investigation and the specific gaps or exceptions that contributed to or were discovered during the incident. When an issue is linked to an incident, both the issue and incident detail pages reflect the association.
Workflow automation
Issues can be assigned workflow templates from SecureHive’s shared workflow engine. Workflows automate the issue lifecycle by routing issues through configurable stages — triage, assignment, remediation, verification, and closure — with designated approvers at each step.
When a workflow is active on an issue, the workflow instance tracks each stage’s status, assigned approver, decision, and comments, providing a complete audit trail of the resolution process.
Related entities
Issues can reference a list of related entity IDs to connect them to other records across SecureHive. This flexible linking mechanism lets you associate an issue with multiple controls, risks, policies, or other artifacts that are relevant to the problem without being the direct source.
Best practices
Document all exceptions with a clear root cause and business impact assessment — this context is essential for proper triage and prioritization. Set realistic due dates based on severity: critical issues should be measured in hours or days, while low-severity improvements may span weeks or months. Use internal comments for sensitive discussions about severity escalation or business justification for risk acceptance. Link issues to their source entity whenever possible so that module-level dashboards accurately reflect the organization’s issue landscape. Leverage workflow automation for issues that require multi-stakeholder review or formal approval before closure.
Permissions
Managing issues requires the issue:manage permission. Users with this permission can create issues, update status and classification, assign ownership, and manage the issue lifecycle. Users without this permission can view issues in read-only mode.