Which security measure provides risk mitigation when a primary control fails or cannot fully meet expectations?

Prepare for the Information Security Principles and Frameworks Test. Enhance your understanding with detailed questions, hints, and explanations. Ace your exam with confidence!

Multiple Choice

Which security measure provides risk mitigation when a primary control fails or cannot fully meet expectations?

Explanation:
When a primary control can’t be implemented as intended or falls short of expectations, a compensating control is used to maintain risk at an acceptable level. Compensating controls are alternative safeguards chosen to achieve the same security objective when the preferred control isn’t feasible due to constraints like cost, complexity, or legacy systems. They’re designed to provide equivalent protection, receive management’s approval, and be documented as part of the risk treatment. This makes them a targeted way to bridge gaps and keep the overall security posture from slipping below acceptable levels. Backup, while essential for recovery and availability, isn’t about substituting a failed security control to mitigate risk. Redundancy reduces the chance of a single point of failure by duplicating components, which is about reliability rather than substituting a required control. Mitigation is a broad term for reducing risk, but the specific mechanism described in the question—an alternative control chosen to satisfy a security requirement when the primary isn’t feasible—points to compensating controls.

When a primary control can’t be implemented as intended or falls short of expectations, a compensating control is used to maintain risk at an acceptable level. Compensating controls are alternative safeguards chosen to achieve the same security objective when the preferred control isn’t feasible due to constraints like cost, complexity, or legacy systems. They’re designed to provide equivalent protection, receive management’s approval, and be documented as part of the risk treatment. This makes them a targeted way to bridge gaps and keep the overall security posture from slipping below acceptable levels.

Backup, while essential for recovery and availability, isn’t about substituting a failed security control to mitigate risk. Redundancy reduces the chance of a single point of failure by duplicating components, which is about reliability rather than substituting a required control. Mitigation is a broad term for reducing risk, but the specific mechanism described in the question—an alternative control chosen to satisfy a security requirement when the primary isn’t feasible—points to compensating controls.

More Multiple Choice Questions
Subscribe

Get the latest from Examzify

You can unsubscribe at any time. Read our privacy policy