A security policy states that all applications on the network must have a password length of eight characters. There are three legacy applications on the network that cannot meet this policy. One system will be upgraded in six months, and two are not expected to be upgraded or removed from the network. Which of the following processes should be followed?

A security policy states that all applications on the network must have a password length of eight characters. There are three legacy applications on the network that cannot meet this policy. One system will be upgraded in six months, and two are not expected to be upgraded or removed from the network. Which of the following processes should be followed?
A . Establish a risk matrix
B . Inherit the risk for six months
C . Provide a business justification to avoid the risk
D . Provide a business justification for a risk exception

View Answer

Answer: D

Explanation:

The Exception Request must include:

A description of the non-compliance.

The anticipated length of non-compliance (2-year maximum).

The proposed assessment of risk associated with non-compliance.

The proposed plan for managing the risk associated with non-compliance.

The proposed metrics for evaluating the success of risk management (if risk is significant).

The proposed review date to evaluate progress toward compliance.

An endorsement of the request by the appropriate Information Trustee (VP or Dean).

Incorrect Answers:

A: A risk matrix can be used to determine an overall risk ranking before determining how the risk will be dealt with.

B: Inheriting the risk for six months means that it has been decided the benefits of moving forward outweighs the risk.

C: Avoiding the risk is not recommended as the applications are still being used.

References:

http://www.Rit.edu/security/sites/rit.edu.securit /files/exception%20process.pdf

Gregg, Michael, and Billy Haines, CASP CompTIA Advanced Security Practitioner Study Guide, John Wiley & Sons, Indianapolis, 2012, p. 218