CompTIA Security+ (SY0-701) — Question 74

An organization disabled unneeded services and placed a firewall in front of a business-critical legacy system. Which of the following best describes the actions taken by the organization?

Answer options

• A. Exception
• B. Segmentation
• C. Risk transfer
• D. Compensating controls

Correct answer: D

Explanation

The actions taken by the organization are considered compensating controls because they provide alternative ways to mitigate risk in the absence of primary controls. Disabling services and implementing a firewall are both methods to enhance security and protect valuable systems. The other options do not accurately characterize these measures; for instance, segmentation refers to dividing networks, while risk transfer involves shifting the risk to another party.