I have a problem between the Information Systems Security Policy’s wording and the head of the Legal Department. The IS Security policy has a section titled Non-Compliance where the consequences of not complying with the policy is spelled out in thefirst paragraph.
The second paragraph went like this:
“Operating practices and procedures in use under the guidance of this policy will from time to time be reviewed or modified to fit current circumstances. Deviation from established practices or procedures require written approval from the ISO or the Information System’s Steering Committee prior to implementation”.
The intent here was to acknowledge that there will be exceptions and they will be considered on a case by case basis. Problem is, the head of the legal department does not want ANY reference to exceptions or deviation MENTIONED in the policy.
We all know there are and will be users who require an exception but how do I write this paragraph to say that without mentioning the words “exception” or “deviation”? HELP!!