Compensating controls are security measures that are put in place to mitigate the risk associated with identified vulnerabilities that cannot be immediately resolved. They serve as alternatives to the direct remediation of security weaknesses, often due to technical, business, or financial constraints. Implementing compensating controls allows an organization to continue operations securely by reducing the potential impact of the vulnerability until it can be properly addressed. Encryption is not inherently a compensating control but might be part of one, depending upon the context. Threat intelligence and Penetration testing are methods for identifying vulnerabilities, not compensating for them.
Learn More
AI Generated Content may display inaccurate information, always double-check anything important.
What are examples of compensating controls?
How do compensating controls differ from regular security measures?
Why might an organization choose to use compensating controls instead of waiting for a patch?