CAS-002 · Question #217
CAS-002 Question #217: Real Exam Question with Answer & Explanation
The correct answer is A: Business or technical justification for not implementing the requirements.. A policy exception form must demonstrate informed risk acceptance. The three most critical elements are: (A) Business or technical justification-explains why the requirement cannot currently be met (budget constraints, in this case), giving the CIO the rationale to approve the ex
Question
Options
- ABusiness or technical justification for not implementing the requirements.
- BRisks associated with the inability to implement the requirements.
- CIndustry best practices with respect to the technical implementation of the current controls.
- DAll section of the policy that may justify non-implementation of the requirements.
- EA revised DRP and COOP plan to the exception form.
- FInternal procedures that may justify a budget submission to implement the new requirement.
- GCurrent and planned controls to mitigate the risks.
Explanation
A policy exception form must demonstrate informed risk acceptance. The three most critical elements are: (A) Business or technical justification-explains why the requirement cannot currently be met (budget constraints, in this case), giving the CIO the rationale to approve the exception. (B) Risks associated with non-implementation-documents the security risks the organization is accepting, fulfilling the CIO's responsibility to make an informed decision. (G) Current and planned controls to mitigate risks-shows compensating controls that reduce exposure during the exception period, and a roadmap to eventual compliance. Industry best practices (C) and policy cross-references (D) are informational but not essential to an exception form. A revised DRP/COOP (E) is unrelated to a policy exception. Budget procedures (F) are administrative, not risk-focused.
Community Discussion
No community discussion yet for this question.