CISM Certified Information Security Manager – Question0742

As an organization grows, exceptions to information security policies that were not originally specified may become necessary at a later date. In order to ensure effective management of business risks, exceptions to such policies should be:

A.
considered at the discretion of the information owner.
B. approved by the next higher person in the organizational structure.
C. formally managed within the information security framework.
D. reviewed and approved by the security manager.

Correct Answer: C

Explanation:

Explanation: A formal process for managing exceptions to information security policies and standards should be included as part of the information security framework. The other options may be contributors to the process but do not in themselves constitute a formal process.