Security exception is when one decides not to apply certain security standards due to several factors. For example, not applying a strong encryption standard to not bog down the network. Security exceptions don’t happen often, but when it does, they are strictly monitored to ensure proper use. Risk is an important issue when it comes to exceptions, so one has to first evaluate how much risk are they willing to accept. Leadership should be involved to evaluate if the cost savings be worth the risk.
When it comes to risk, one can accept it completely, transfer it to a third party, avoid it, or mitigate it. When you just accept the risk, you are maximizing the risk for your company. When you are transferring it, you are counting on third party like an insurance company to accept the risk at a price. When you avoid it, you simply get rid of risk, like getting rid of the computer. Mitigation is simply having a security system in place to lower the risk, like a firewall.
HansITAcademy 