CompTIA Security+ (SY0-601) — Question 394

An organization disabled unneeded services and placed a firewall in front of a business-critical legacy system. Which of the following best describes the actions taken by the organization?

Answer options

• A. Exception
• B. Segmentation
• C. Risk transfer
• D. Compensating controls

Correct answer: D

Explanation

The actions taken by the organization are considered compensating controls because they provide alternative security measures to mitigate risks associated with the legacy system. Disabling unneeded services and adding a firewall are proactive steps to enhance security. The other options, such as segmentation and risk transfer, do not accurately describe the specific actions of enhancing security for an existing system.