Question

Which of the following statements are true of proper compensating controls? Each correct answer represents a complete solution. Choose all that apply.

Option 1: Compensating controls mitigate risks when primary controls fail.
Option 2: Compensating controls are unnecessary in a well-designed security framework.
Option 3: Compensating controls are a replacement for primary controls.
Option 4: Compensating controls address specific vulnerabilities in the absence of primary controls.

Answer 1

Compensating controls address specific vulnerabilities in the absence of primary controls, while they are still necessary in a well-designed security framework.

Step-by-step explanation:

Compensating controls are additional security measures that are implemented when primary controls fail or are not feasible to implement. They address specific vulnerabilities in the absence of primary controls and help mitigate the associated risks. Therefore, Option 4: Compensating controls address specific vulnerabilities in the absence of primary controls is a true statement.

However, it is incorrect to say that compensating controls are unnecessary in a well-designed security framework. In fact, a well-designed security framework should include compensating controls as part of a layered defense strategy. These controls act as a backup and provide extra protection in case primary controls fail. Therefore, Option 2: Compensating controls are unnecessary in a well-designed security framework is false.

To summarize, Option 4 is true while Option 2 is false.