A financial services company's internal policy mandates that all data-in-transit must be encrypted. However, a critical legacy accounting application does not support Transport Layer Security (TLS) and cannot be immediately replaced or updated. A security analyst has been tasked with mitigating the risk associated with the unencrypted data traversing the corporate network. Which of the following would be the BEST compensating control to implement?
Enforce a stricter password policy for all users who access the legacy accounting application.
Update the security policy to create an exception for the legacy accounting application.
Formally document the issue and sign a risk acceptance form to acknowledge the unencrypted traffic.
Deploy IPsec to create an encrypted tunnel for all traffic within an isolated network segment containing the application and its clients.
The best compensating control is to deploy IPsec to encrypt traffic within an isolated network segment. This addresses the core requirement of encrypting data-in-transit by implementing an alternative, network-level control when the application-level control (TLS) is not feasible. Risk acceptance and policy exceptions do not mitigate the risk, and implementing a stricter password policy addresses authentication, not data-in-transit encryption.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What are some examples of compensating controls?
Open an interactive chat with Bash
How do compensating controls differ from primary controls?
Open an interactive chat with Bash
What are the limitations of using compensating controls?