exception handling

[mike.patterson at unb.ca (Mike Patterson)]

Day 1 in my new security-type job, and I've run across a bunch of goo
left behind by the last guy.  He didn't, so far as I or anybody else can
tell, document exceptions he'd made to things like his scripts that
check snort logs to see if somebody's been sending out lots of smtp
traffic and so on.  ("So get something like squil going" I hear you
saying, yeah, fine, but meantime I need to get along with what we have now.)

For both this sort of thing and firewall policies, I'm wondering how
people track exceptions that are made, along with documentation
supporting the reasons why, and when the exception can be revoked?

Right now there's two of us with part time help sometimes maybe from a
few other staff members.  Money isn't *really* a problem, but hey, free
is always better, right?  Windows, Linux, Solaris, QNX, don't care what
it runs on.

TIA.

Mike