When a system cannot comply with the organization's security policy due to legitimate technical constraints, implementing additional measures that provide a similar level of defense is an acceptable approach.
Compensating controls are secondary security measures that are put in place to mitigate risk to an acceptable level when the primary control is not feasible. They are an accepted practice in information security management to ensure that, when certain security requirements cannot be met directly, alternative measures provide a comparable level of defense. The question describes a scenario where compensating controls would be appropriate.
Learn More
AI Generated Content may display inaccurate information, always double-check anything important.
What are compensating controls?
Why are compensating controls important in information security?
How do organizations determine the effectiveness of compensating controls?