Handout E: Collaborative Bridge Policy Exception

IT Security exception register and ITSM dependency audit retrieved from BioGenix Solutions IT governance system. Requested by incident response team during lateral movement investigation.

Conditional Access Exception Register – COLLBRIDGE-EXCL-003

IT Security Exception Register
BioGenix Solutions -- Identity and Access Governance

Exception ID:     COLLBRIDGE-EXCL-003
Classification:   Conditional Access Policy Override
Status:           ACTIVE
Created:          2024-11-14
Created by:       IT Security Lead (M. Andersen)
Approved by:      CTO (K. FΓΈnsmark)
Last reviewed:    NEVER
Expiry date:      NOT SET
Review cadence:   NOT CONFIGURED

--- Scope ---

Account:          svc-rdbridge-admin
Source range:     HANSEN-SAP-01 on-premise subnet (10.12.4.0/24)
Policy bypassed:  CA-POLICY-MFA-ALL (MFA for all cloud authentication)
                  CA-POLICY-NTLM-BLOCK (block legacy authentication protocols)
Authentication:   NTLM permitted without interactive logon or MFA challenge

--- Justification (as recorded at creation) ---

"Required to maintain CaliSyncPro calibration data synchronization between
HANSEN-SAP-01 and the Azure R&D environment (AZURE-RD-ENV-01) during the
Collaborative Bridge integration phase. The CaliSyncPro service account does
not support modern authentication. Temporary exception -- to be removed
when HANSEN-SAP-01 is decommissioned and calibration sync migrated to
cloud-native service. Target: Q1 2025. Tracked under ITSM-29847."

--- Exception Risk Notes ---

Risk accepted:    Yes
Risk owner:       CTO
Compensating      "HANSEN-SAP-01 decommission in progress. Exception
controls:         expected to be short-lived."

ITSM Ticket: ITSM-29847

IT Service Management System -- BioGenix Solutions
Ticket: ITSM-29847

Title:    HANSEN-SAP-01 Decommission -- Blocked: Collaborative Bridge Dependency
Status:   OPEN
Priority: LOW
Created:  2024-08-15
Target:   2024-09-01 (original decommission date)
Owner:    UNASSIGNED (previous owner departed 2024-10)
Last updated: 2024-11-02

--- History ---

2024-08-15  Ticket created. Decommission scheduled for 2024-09-01.
2024-09-01  Decommission BLOCKED. CaliSyncPro dependency on HANSEN-SAP-01
            not resolved. Migration to cloud-native sync not yet scoped.
2024-11-02  Collaborative Bridge integration completed. CaliSyncPro migration
            still pending -- HANSEN-SAP-01 remains required for calibration
            data sync. Exception COLLBRIDGE-EXCL-003 created to maintain
            connectivity during extended migration window.
2024-11-02  Priority set to LOW pending migration scoping. No follow-up
            scheduled.

[No further updates]

--- Blockers ---

Open blocker:   CaliSyncPro migration to cloud-native service not scoped
                or resourced. No timeline set.
Security patch: HANSEN-SAP-01 security patching paused 2024-08-15 pending
                decommission. Patches not applied since original target date.
SOC monitoring: System excluded from active monitoring under decommission-
                backlog policy (SECOPS-EXCL-2024-017).

IM NOTES (Do Not Show to Players):

  • Three compounding governance failures are visible here:
    1. A temporary exception with no expiry date and no review cadence became permanent by default.
    2. The ITSM ticket blocking decommission was deprioritized after the previous owner departed, with no handover or reassignment.
    3. Security patching and SOC monitoring were both paused at the original decommission date and never resumed – leaving HANSEN-SAP-01 an 18-month-old unmonitored, unpatched, internet-connected server.
  • The COLLBRIDGE-EXCL-003 justification explicitly describes the exception as temporary and tied to ITSM-29847. Neither was ever followed up.
  • This handout supports the key debrief insight: the attacker did not create this attack path – they found one that BioGenix’s own governance had left open and forgotten.

IM Facilitation Notes

  • Release when participants ask how COLLBRIDGE-EXCL-003 was created, why it had no expiry, or why HANSEN-SAP-01 was never actually decommissioned.
  • Use this handout to drive discussion on exception lifecycle management, ticket ownership continuity, and the risk of β€œtemporary” controls that become permanent by inaction.
  • The ITSM ticket with no owner and no follow-up since November 2024 is a powerful debrief artifact – governance failures are rarely a single point of failure.