nerdexam
ExamsCAS-001Questions#391
CompTIA

CAS-001 · Question #391

CAS-001 Question #391: Real Exam Question with Answer & Explanation

The correct answer is A: Business or technical justification for not implementing the requirements.. A policy exception form is a formal request to deviate from a security requirement for a defined period. It must be decision-quality documentation for the CIO. Option A (business/technical justification) explains WHY the requirement cannot be met - in this case, budget constraint

Question

The Information Security Officer (ISO) is reviewing new policies that have been recently made effective and now apply to the company. Upon review, the ISO identifies a new requirement to implement two-factor authentication on the company's wireless system. Due to budget constraints, the company will be unable to implement the requirement for the next two years. The ISO is required to submit a policy exception form to the Chief Information Officer (CIO). Which of the following are MOST important to include when submitting the exception form? (Select THREE).

Options

  • ABusiness or technical justification for not implementing the requirements.
  • BRisks associated with the inability to implement the requirements.
  • CIndustry best practices with respect to the technical implementation of the current controls.
  • DAll section of the policy that may justify non-implementation of the requirements.
  • EA revised DRP and COOP plan to the exception form.
  • FInternal procedures that may justify a budget submission to implement the new requirement.
  • GCurrent and planned controls to mitigate the risks.

Explanation

A policy exception form is a formal request to deviate from a security requirement for a defined period. It must be decision-quality documentation for the CIO. Option A (business/technical justification) explains WHY the requirement cannot be met - in this case, budget constraints preventing two-factor authentication implementation for two years. Option B (risks associated with non-implementation) quantifies the security exposure the organization accepts by granting the exception; the CIO cannot responsibly approve without understanding the risk. Option G (current and planned controls to mitigate) demonstrates due diligence - that compensating controls are in place to reduce risk during the exception window. Industry best practices (C) are informational but not required in an exception form. Policy sections (D) are already known to the CIO. A revised DRP/COOP (E) is unrelated to a wireless authentication exception. Internal budget procedures (F) are a process concern, not a security risk management deliverable.

Community Discussion

No community discussion yet for this question.

Sign up to join the discussion
Full CAS-001 Practice