An organization is required by a compliance framework to encrypt all sensitive data at rest. However, a critical legacy database system central to operations does not support native encryption, and an upgrade is not feasible in the short term. To mitigate the risk, the security team implements stringent access control lists (ACLs), data loss prevention (DLP) tools, and continuous database activity monitoring. Which of the following BEST describes this set of security measures?
This is an example of a compensating control. Since the primary control (encryption at rest) cannot be implemented due to technical constraints, the organization has put alternative measures in place (strict ACLs, DLP, monitoring) to provide an equivalent level of protection and satisfy the security requirement's intent. While some of the individual measures are preventative, 'compensating control' is the most accurate and encompassing term for the overall strategy. Corrective controls are used to restore systems after an incident has occurred. Managerial controls relate to overarching security governance, such as policies and risk assessments, rather than specific technical implementations like these.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What are some examples of compensating controls?
Open an interactive chat with Bash
How do compensating controls fit into an overall security strategy?
Open an interactive chat with Bash
Can compensating controls ever be a permanent solution?