Certified in Risk and Information Systems Control (CRISC) — Question 587

An organization automatically approves exceptions to security policies on a recurring basis. This practice is MOST likely the result of:

Answer options

• A. a lack of mitigating actions for identified risk.
• B. ineffective IT governance.
• C. ineffective service delivery.
• D. decreased threat levels.

Correct answer: B

Explanation

The correct answer is B, as ineffective IT governance can lead to a lack of oversight in security policy enforcement. Other options do not directly address the systemic failure in governance that allows for automatic approvals of exceptions, making them less relevant in this context.