CompTIA CySA+ (CS0-003) — Question 124

A small company does not have enough staff to effectively segregate duties to prevent error and fraud in payroll management. The Chief Information Security Officer (CISO) decides to maintain and review logs and audit trails to mitigate risk. Which of the following did the CISO implement?

Answer options

• A. Corrective controls
• B. Compensating controls
• C. Operational controls
• D. Administrative controls

Correct answer: B

Explanation

The CISO implemented compensating controls, which are alternative measures taken to satisfy security requirements when segregation of duties is not feasible. Corrective controls aim to fix issues after they occur, while operational controls are focused on day-to-day operations, and administrative controls are related to policies and procedures rather than specific risk mitigation strategies.