Security exceptions
Indeed, if we have policies and standards we will have exceptions too. Let's face it; it is hard to implement everything by the letter of the law due to complexity, costs, and limitations of software and hardware. There are two schools of thought on policy implementation, one school, only put in policies on what is currently being done or with little effort, the other, write a policy that the enterprise should be implementing. The first school of thought may not be ideal, but upper management may not want to hear that the enterprise is dismally implementing a policy that has been written. On the other hand, upper management that understands security will want to push the enterprise to a higher standard and push for the best feasible policy.
In either case of policy creation and enforcement, there will be exceptions. Exceptions are not necessarily a bad thing, but they must be documented with a path to resolution and a timeframe to do so. Without an acceptable timeframe...
