Which is correct exception or exemption?Defensive Cyber Security

Begin Learning Cyber Security for FREE Now!

FREE REGISTRATION
Already a Member Login Here

Home Forums Cyber Security Defensive Cyber Security Which is correct exception or exemption?

This topic contains 2 replies, has 3 voices, and was last updated by  Chin_Diesel 2 years, 2 months ago.

Viewing 3 posts - 1 through 3 (of 3 total)
  • Author
    Posts
  • #99590

    Pesh Stoyanov
    Participant

    I am trying to understand which wording should i use when establishing the risk waivers.

    I am used to use Exception but i see that that might be wrong 🙂

    Can someone with more knowledge explain the difference?

    #99600

    dedeij
    Participant

    Honestly,

    For the purpose of a Risk Waivers then can be used interchangeably, however, I personally would prefer the use of the word “Exception” But both words are similar enough in this context, i.e one definition of each is “leaving something out of a set” so really both can be used.

    “Definitions:

    Waiver:

    An exception or exemption to any written information security policy, standard, procedure, or practice that has been approved by the appropriate governing body and published for use. ” https://confluence.drake.edu/display/SPS/Information+Security+Standard+-+Security+Waiver

    There are differences to each word, and really it is just nuance.
    https://english.stackexchange.com/questions/17672/what-is-the-difference-between-exemption-and-exception

    #99628

    Chin_Diesel
    Moderator

    To me, declaring something “exempt” would insinuate that that risk is now immune from further faults. That’s why we typically deal with POA&Ms instead. A risk that cannot be mitigated/transferred/whatever’d in a reasonable amount of time should then have a plan of action created, and milestones to track and show progress. If something gets a waiver, what is forcing the responsible parties from having to deal with that issue anymore? In their eyes, they got a free pass. With a POA&M, if no reasonable attempt has been made to remediate the issue in the time frame allotted, then whatever system or thing that is causing that risk needs to go.

    You don’t want to just assume unnecessary risk and leave something hanging out there that is causing your organization to be vulnerable. If something cannot be remediated in the short term due to time, budget, software maturity or some other constraint, then have a plan for addressing the issue when it becomes feasible. If not, then shitcan it. If your folks don’t care enough to patch it, then you shouldn’t care to keep it around.

Viewing 3 posts - 1 through 3 (of 3 total)

You must be logged in to reply to this topic.

Our Revolution

We believe Cyber Security training should be free, for everyone, FOREVER. Everyone, everywhere, deserves the OPPORTUNITY to learn, begin and grow a career in this fascinating field. Therefore, Cybrary is a free community where people, companies and training come together to give everyone the ability to collaborate in an open source way that is revolutionizing the cyber security educational experience.

Support Cybrary

Donate Here to Get This Month's Donor Badge

 

We recommend always using caution when following any link

Are you sure you want to continue?

Continue
Cancel