During a security review, the IT department determines that a critical legacy application cannot support multi-factor authentication (MFA). To maintain an acceptable security posture, the team places the application on its own network segment, enables verbose logging, and performs daily manual reviews of the access logs until a modern replacement is available.
Which of the following BEST describes these additional safeguards?
Implementing a compensating control
Conducting a root-cause analysis of recent security events
Adding an additional layer of defense-in-depth beyond requirements
Because the primary security measure (implementing MFA) is not technically feasible for the legacy application, the team selects alternative safeguards that provide equivalent risk reduction. These alternatives are considered compensating controls. The other options describe important security activities but do not specifically refer to substituting one control for another that cannot be implemented.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What are examples of compensating controls?
Open an interactive chat with Bash
Why might an organization choose compensating controls?
Open an interactive chat with Bash
How do compensating controls differ from primary controls?