Pete, a security analyst, has been informed that the development team has plans to develop an
application which does not meet the company’s password policy. Which of the following should Pete do
NEXT?

A.
Contact the Chief Information Officer and ask them to change the company password policy so that the
application is made compliant.

B.
Tell the application development manager to code the application to adhere to the company’s
password policy.

C.
Ask the application development manager to submit a risk acceptance memo so that the issue can be
documented.

D.
Inform the Chief Information Officer of non-adherence to the security policy so that the developers can
be reprimanded.

Explanation:
Since the application is violating the security policy it should be coded differently to comply with the
password policy.
Incorrect Answers:
A: Changing the password policy to make the application compliant would be the same as creating an
incident because any attempt to violate a security policy is considered an incident.
C: Requesting to change to the risk acceptance is not best practice and it basically amounts to incident
response.D: Reprimanding the developers will not result in the application complying with the security policy.

Dulaney, Emmett and Chuck Eastton, CompTIA Security+ Study Guide, 6th Edition, Sybex, Indianapolis,
2014, p. 445