Exceptions vs exemptions

In the context of information risk and security management, I define and use the terms "exemption" and "exception" quite deliberately.

“Exceptions” are unauthorized non-conformance or non-compliance situations.  For example if the organization has a policy to use multi-factor authentication for all privileged system accounts, a privileged account that only has single-factor auth for some reason (maybe an oversight or a practical issue) would constitute an exception, something that has not [yet] been officially notified to, risk-assessed and accepted, authorized, permitted or granted by management. 

Depending on the circumstances and the nature of the information risks, identified exceptions may be classed as issues or events, perhaps even incidents worth reporting and managing as such.

“Exemptions” are where management has formally considered and risk-assessed non-conformance or non-compliance situations and explicitly authorized or agreed that they should continue – perhaps with compensating controls, for a defined limited period, and with clear accountability for the associated risks. So, for instance, the information risks associated with only having single-factor auth on a test system may be acceptable to management if the control costs are deemed excessive in that situation … but the exemption might be only for the duration of the testing, and on the condition that the test system only has access to test data not live/production data, with the Test Manager accepting personal accountability for the associated information risks. 

Exemptions do not constitute issues, events or incidents unless: 

• The situation at hand varies substantially from that authorized e.g. if the compensating controls are not actually in operation, or if the authorized exemption period has expired (yes, even exemptions have to be complied with ... perhaps implying the need for compliance checks and other control measures if the information risks are significant);
• The information risks are materially different from those accepted e.g. if they were misunderstood or misstated/misrepresented when someone applied for the exemption. If incidents have occurred on the test system that would have been prevented by multifactor auth, that suggests the need for management to revisit the authorization of the exemption and perhaps hold the Test Manager to account for the incidents, demanding appropriate corrective action.

The distinction implies processes or activities for identifying, evaluating and treating the information risks - conventional risk management, in fact, applied rationally according to the differing circumstances. 

The critical distinction between exemptions and exceptions is not the amount of risk, or management's knowledge of the situation, or even the authorization: the distinction ultimately comes down to accountability. There are information risks associated with both exemptions and exceptions, but with exemptions an individual explicitly accepts the risks, whereas with exceptions the risks are left floating in mid-air ... which means 'management' as a whole accepts them implicitly and severally, since they fall within management's governance obligations.