Ready to Start Your Career?

Which Is Correct Exception Or Exemption?

Author's profile image

January 1, 2016

I am trying to understand which wording should i use when establishing the risk waivers. I am used to use Exception but i see that that might be wrong :) Can someone with more knowledge explain the difference? Honestly, For the purpose of a Risk Waivers then can be used interchangeably, however, I personally would prefer the use of the word "Exception" But both words are similar enough in this context, i.e one definition of each is "leaving something out of a set" so really both can be used. "Definitions: Waiver: An exception or exemption to any written information security policy, standard, procedure, or practice that has been approved by the appropriate governing body and published for use. " There are differences to each word, and really it is just nuance. To me, declaring something "exempt" would insinuate that that risk is now immune from further faults. That's why we typically deal with POA&Ms instead. A risk that cannot be mitigated/transferred/whatever'd in a reasonable amount of time should then have a plan of action created, and milestones to track and show progress. If something gets a waiver, what is forcing the responsible parties from having to deal with that issue anymore? In their eyes, they got a free pass. With a POA&M, if no reasonable attempt has been made to remediate the issue in the time frame allotted, then whatever system or thing that is causing that risk needs to go. You don't want to just assume unnecessary risk and leave something hanging out there that is causing your organization to be vulnerable. If something cannot be remediated in the short term due to time, budget, software maturity or some other constraint, then have a plan for addressing the issue when it becomes feasible. If not, then shitcan it. If your folks don't care enough to patch it, then you shouldn't care to keep it around.
Schedule Demo