A security engineer is given new application extensions each month that need to be secured prior
to implementation. They do not want the new extensions to invalidate or interfere with existing
application security. Additionally, the engineer wants to ensure that the new requirements are
approved by the appropriate personnel. Which of the following should be in place to meet these
two goals? (Select TWO).

A.
Patch Audit Policy

B.
Change Control Policy

C.
Incident Management Policy

D.
Regression Testing Policy

E.
Escalation Policy

F.
Application Audit Policy