Marek’s organization has a system that needs to receive a deviation from a defined security process. What best practice should he follow to ensure that this is done correctly?

Marek should follow his organization’s change management process to document the change required and to ensure that it is regularly reviewed. This may not require a risk assessment since it may be a simple requirement or may have already been assessed. The type of security variance needed is not described, so it is not clear if removing the system from the network is necessary.