The Information Security Officer (ISO) is reviewing new policies that have been recently made effective and now apply to the company. Upon review, the ISO identifies a new requirement to implement two-factor authentication on the company’s wireless system. Due to budget constraints, the company will be unable to implement the requirement for the next two years. The ISO is required to submit a policy exception form to the Chief Information Officer (CIO). Which of the following are MOST important to include when submitting the exception form? (Select THREE).

The Information Security Officer (ISO) is reviewing new policies that have been recently made effective and now apply to the company. Upon review, the ISO identifies a new requirement to implement two-factor authentication on the company’s wireless system. Due to budget constraints, the company will be unable to implement the requirement for the next two years. The ISO is required to submit a policy exception form to the Chief Information Officer (CIO). Which of the following are MOST important to include when submitting the exception form? (Select THREE).
A . Business or technical justification for not implementing the requirements.
B . Risks associated with the inability to implement the requirements.
C . Industry best practices with respect to the technical implementation of the current controls.
D . All sections of the policy that may justify non-implementation of the requirements.
E . A revised DRP and COOP plan to the exception form.
F . Internal procedures that may justify a budget submission to implement the new requirement.
G . Current and planned controls to mitigate the risks.

Answer: A, B, G

Explanation:

The Exception Request must include:

A description of the non-compliance.

The anticipated length of non-compliance (2-year maximum).

The proposed assessment of risk associated with non-compliance.

The proposed plan for managing the risk associated with non-compliance.

The proposed metrics for evaluating the success of risk management (if risk is significant).

The proposed review date to evaluate progress toward compliance.

An endorsement of the request by the appropriate Information Trustee (VP or Dean).

Incorrect Answers:

C: The policy exception form is not for implementation, but for non-implementation.

D: All sections of the policy that may justify non-implementation of the requirements is not required, a description of the non-compliance is.

E: A Disaster recovery plan (DRP) and a Continuity of Operations (COOP) plan is not required, a proposed plan for managing the risk associated with non-compliance is.

F: The policy exception form requires justification for not implementing the requirements, not the other way around.

References:

http://www.rit.edu/security/sites/rit.edu.security/files/exception%20process.pdf

Subscribe
Notify of
guest
0 Comments
Inline Feedbacks
View all comments