Which is correct exception or exemption?Defensive Cyber Security

Begin Learning Cyber Security for FREE Now!

Already a Member Login Here

Home Forums Cyber Security Defensive Cyber Security Which is correct exception or exemption?

This topic contains 2 replies, has 3 voices, and was last updated by  Chin_Diesel 2 years, 11 months ago.

Viewing 3 posts - 1 through 3 (of 3 total)
  • Author
  • #99590

    Pesh Stoyanov

    I am trying to understand which wording should i use when establishing the risk waivers.

    I am used to use Exception but i see that that might be wrong 🙂

    Can someone with more knowledge explain the difference?




    For the purpose of a Risk Waivers then can be used interchangeably, however, I personally would prefer the use of the word “Exception” But both words are similar enough in this context, i.e one definition of each is “leaving something out of a set” so really both can be used.



    An exception or exemption to any written information security policy, standard, procedure, or practice that has been approved by the appropriate governing body and published for use. ” https://confluence.drake.edu/display/SPS/Information+Security+Standard+-+Security+Waiver

    There are differences to each word, and really it is just nuance.



    To me, declaring something “exempt” would insinuate that that risk is now immune from further faults. That’s why we typically deal with POA&Ms instead. A risk that cannot be mitigated/transferred/whatever’d in a reasonable amount of time should then have a plan of action created, and milestones to track and show progress. If something gets a waiver, what is forcing the responsible parties from having to deal with that issue anymore? In their eyes, they got a free pass. With a POA&M, if no reasonable attempt has been made to remediate the issue in the time frame allotted, then whatever system or thing that is causing that risk needs to go.

    You don’t want to just assume unnecessary risk and leave something hanging out there that is causing your organization to be vulnerable. If something cannot be remediated in the short term due to time, budget, software maturity or some other constraint, then have a plan for addressing the issue when it becomes feasible. If not, then shitcan it. If your folks don’t care enough to patch it, then you shouldn’t care to keep it around.

Viewing 3 posts - 1 through 3 (of 3 total)

You must be logged in to reply to this topic.

Our Revolution

We believe Cyber Security training should accessible for everyone, everywhere. Everyone deserves the OPPORTUNITY to learn, begin and grow a career in this fascinating field. Therefore, Cybrary is the world's largest community where people, companies and training come together to give everyone the ability to collaborate in an open source way that is revolutionizing the cyber security educational experience.

We recommend always using caution when following any link

Are you sure you want to continue?