A financial services company's internal policy mandates that all data-in-transit must be encrypted. However, a critical legacy accounting application does not support Transport Layer Security (TLS) and cannot be immediately replaced or updated. A security analyst has been tasked with mitigating the risk associated with the unencrypted data traversing the corporate network. Which of the following would be the BEST compensating control to implement?
Formally document the issue and sign a risk acceptance form to acknowledge the unencrypted traffic.
Update the security policy to create an exception for the legacy accounting application.
Deploy IPsec to create an encrypted tunnel for all traffic within an isolated network segment containing the application and its clients.
Enforce a stricter password policy for all users who access the legacy accounting application.
The best compensating control is to deploy IPsec to encrypt traffic within an isolated network segment. This addresses the core requirement of encrypting data-in-transit by implementing an alternative, network-level control when the application-level control (TLS) is not feasible. Risk acceptance and policy exceptions do not mitigate the risk, and implementing a stricter password policy addresses authentication, not data-in-transit encryption.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is IPsec and how does it work?
Open an interactive chat with Bash
Why is Transport Layer Security (TLS) not suitable in this scenario?