Indeed, if we have policies and standards we will have exceptions too. Let's face it; it is hard to implement everything by the letter of the law due to complexity, costs, and limitations of software and hardware. There are two schools of thought on policy implementation, one school, only put in policies on what is currently being done or with little effort, the other, write a policy that the enterprise should be implementing. The first school of thought may not be ideal, but upper management may not want to hear that the enterprise is dismally implementing a policy that has been written. On the other hand, upper management that understands security will want to push the enterprise to a higher standard and push for the best ...