During a patch-management planning meeting, operations staff request a temporary exception for a legacy server that might crash if a newly released critical patch is applied immediately. According to best practices for patching and configuration management, what MUST be done before this temporary exception is granted?
Allow the exception indefinitely as long as vulnerability scans are disabled on the affected server.
Automatically grant the exception if the system is internal and not Internet-facing.
Document the request, obtain formal approval, and specify an expiration date for the exception.
Skip documentation because the exception is temporary and apply only compensating controls.
Before any exception-permanent or temporary-is approved, it must be fully documented, formally approved, assigned an expiration or review date, and accompanied by compensating controls as needed. Skipping documentation, granting open-ended timelines, or automatically approving exceptions based on network location fails to meet accepted security-governance standards.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What are examples of exceptions in patching and configuration management?
Open an interactive chat with Bash
What are the security risks of not documenting exceptions?
Open an interactive chat with Bash
How should organizations document exceptions to policies?