CompTIA Security+ SY0-701 Practice Question
In an organization's risk management framework, when might an exemption be most appropriately granted?
As a habitual practice for lower-priority systems to minimize the effort spent on security
When compliance with a security policy or control is either not feasible or not cost-effective relative to the reduction in risk it would bring
Whenever a key stakeholder dislikes the constraints imposed by a certain policy or standard
When there is insufficient budget to implement any security measures and all risks need to be accepted