In this lesson, we will look at exceptions in the realm of policy management. While policies are intended to be inclusive, there will be situations where exceptions to that policy will be required. Whether it's hardware that cannot be brought into compliance or staff who necessarily must be exempted; there must be a procedure set up to deal with the inevitable exceptions to policy. The Process of Managing Exceptions The procedure for how exception requests are submitted, evaluated and documented must be documented. An exception request form should be customized and standardized, and consequently used as a template. There must be a concomitant response form that will be completed by the individual who approves or rejects the exception request, and a tracking log should be kept of all exceptions that have been granted. There are supplementary documents that should be included in the exception process: - Descriptions of roles and responsibilities - Technology standards - Workflows demonstrating how security functions performed by different departments combine to ensure secure data handling Guidelines that advise on the easiest ways to comply with security policy.