Mechanisms exist to document, assess risk and approve or deny deviations to standardized configurations.
Does the organization document, assess risk and approve or deny deviations to standardized configurations?