As an organization grows, exceptions to information security policies that were not originally specified may
become necessary at a later date. In order to ensure effective management of business risks, exceptions to
such policies should be:
A.
considered at the discretion of the information owner.
B.
approved by the next higher person in the organizational structure.
C.
formally managed within the information security framework.
D.
reviewed and approved by the security manager.
Explanation:
A formal process for managing exceptions to information security policies and standards should be included as part of the information security framework. The other options may be contributors to the process but do not in themselves constitute a formal process.