An organization is required by a compliance framework to encrypt all sensitive data at rest. However, a critical legacy database system central to operations does not support native encryption, and an upgrade is not feasible in the short term. To mitigate the risk, the security team implements stringent access control lists (ACLs), data loss prevention (DLP) tools, and continuous database activity monitoring. Which of the following BEST describes this set of security measures?
This is an example of a compensating control. Since the primary control (encryption at rest) cannot be implemented due to technical constraints, the organization has put alternative measures in place (strict ACLs, DLP, monitoring) to provide an equivalent level of protection and satisfy the security requirement's intent. While some of the individual measures are preventative, 'compensating control' is the most accurate and encompassing term for the overall strategy. Corrective controls are used to restore systems after an incident has occurred. Managerial controls relate to overarching security governance, such as policies and risk assessments, rather than specific technical implementations like these.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What exactly is a compensating control?
Open an interactive chat with Bash
How does database activity monitoring work?
Open an interactive chat with Bash
Why can't preventative controls alone meet the compliance requirement here?