CompTIA Security+ (SY0-501) — Question 670

A recent audit uncovered a key finding regarding the use of a specific encryption standard in a web application that is used to communicate with business customers. Due to the technical limitations of its customers, the company is unable to upgrade the encryption standard. Which of the following types of controls should be used to reduce the risk created by this scenario?

Answer options

• A. Physical
• B. Detective
• C. Preventive
• D. Compensating

Correct answer: D

Explanation

Compensating controls are designed to provide an alternative solution to mitigate risks when primary controls cannot be implemented. In this case, since the encryption standard cannot be upgraded, compensating controls can help manage the associated risks. The other options, such as physical, detective, and preventive controls, do not directly address the specific issue of inadequate encryption in this scenario.