Exceptions in policies and procedures should be forbidden.

Prepare for the Network Security (NETSEC) 2 Exam. Utilize flashcards and multiple choice questions, complete with hints and detailed explanations. Excel in your security skills!

Multiple Choice

Exceptions in policies and procedures should be forbidden.

Explanation:
Exceptions to policies and procedures will happen because you can’t anticipate every real‑world scenario. The important idea is to build a governance process that allows controlled deviations without compromising overall security. A formal exception process should be in place: clearly document the reason for the exception, obtain appropriate approval, define the exact scope and a finite duration, implement compensating controls as needed, and schedule regular reviews. This keeps policy governance intact while providing the needed flexibility to operate effectively. Without such a process, teams may resort to untracked workarounds that introduce risk or push the organization toward impractical rigidity. For example, a legacy system might require a temporary waiver from a strict authentication requirement. If this is approved, it should be limited in time, monitored, and accompanied by additional safeguards until the system can be updated. Rigidly forbidding exceptions or requiring them to be mandatory ignores real-world constraints and can lead to insecure workarounds or operational bottlenecks. Exceptions, managed properly, are a practical part of security governance.

Exceptions to policies and procedures will happen because you can’t anticipate every real‑world scenario. The important idea is to build a governance process that allows controlled deviations without compromising overall security.

A formal exception process should be in place: clearly document the reason for the exception, obtain appropriate approval, define the exact scope and a finite duration, implement compensating controls as needed, and schedule regular reviews. This keeps policy governance intact while providing the needed flexibility to operate effectively. Without such a process, teams may resort to untracked workarounds that introduce risk or push the organization toward impractical rigidity.

For example, a legacy system might require a temporary waiver from a strict authentication requirement. If this is approved, it should be limited in time, monitored, and accompanied by additional safeguards until the system can be updated.

Rigidly forbidding exceptions or requiring them to be mandatory ignores real-world constraints and can lead to insecure workarounds or operational bottlenecks. Exceptions, managed properly, are a practical part of security governance.

More Multiple Choice Questions
Subscribe

Get the latest from Passetra

You can unsubscribe at any time. Read our privacy policy