A cybersecurity analyst is preparing a vulnerability management report and identifies a high-risk vulnerability on a system that is tightly governed by the organization's change management policies. The policy requires a two-week review period for any system changes, but the vendor has rated the vulnerability as 'critical' with a high likelihood of exploitation. In light of the existing organizational governance, which course of action should the analyst recommend in the vulnerability management report to address the risk adequately?
Suggest waiting for the two-week review period before any action, adhering to the strict change management policy.
Advise immediate patch deployment to override the two-week review policy due to the vendor's critical rating.
Propose the creation of an exception in the governance policy for all vendor-rated critical vulnerabilities going forward.
Recommend implementing compensating controls and initiating an expedited review process for the patch deployment.