When a system cannot comply with the organization's security policy due to legitimate technical constraints, implementing additional measures that provide a similar level of defense is an acceptable approach.
Compensating controls are secondary security measures that are put in place to mitigate risk to an acceptable level when the primary control is not feasible. They are an accepted practice in information security management to ensure that, when certain security requirements cannot be met directly, alternative measures provide a comparable level of defense. The question describes a scenario where compensating controls would be appropriate.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What are compensating controls?
Open an interactive chat with Bash
Why are compensating controls important in information security?
Open an interactive chat with Bash
How do organizations determine the effectiveness of compensating controls?