As an organization grows, exceptions to information security policies that were not originally
specified may become necessary at a later date. In order to ensure effective management of
business risks, exceptions to such policies should be:

A.
considered at the discretion of the information owner.

B.
approved by the next higher person in the organizational structure.

C.
formally managed within the information security framework.

D.
reviewed and approved by the security manager.

Explanation:

A formal process for managing exceptions to information security policies and standards should be
included as part of the information security framework. The other options may be contributors to
the process but do not in themselves constitute a formal process.