The Information Security Officer (ISO) is reviewing new policies that have been recently
made effective and now apply to the company. Upon review, the ISO identifies a new
requirement to implement two-factor authentication on the companys wireless system. Due
to budget constraints, the company will be unable to implement the requirement for the
next two years. The ISO is required to submit a policy exception form to the Chief
Information Officer (CIO). Which of the following are MOST important to include when
submitting the exception form? (Select THREE).