Which term is an internal control that reduces risk of a control weakness by providing an alternative safeguard?

Unlock all questions

This demo includes only 20 questions. Upgrade to access hundreds of questions, flashcards, exam simulations, and disable ads.

Full question bankExam simulationsFlashcards
From $9.99Unlock all

Master ISACA's IT Risk Fundamentals with our comprehensive test preparation. Dive into flashcards and multiple choice questions, complete with hints and explanations, and ensure you're fully prepared for your certification success.

Multiple Choice

Which term is an internal control that reduces risk of a control weakness by providing an alternative safeguard?

Explanation:
A compensating control is used when the primary safeguard isn’t feasible or has a weakness, providing an alternative measure that still reduces risk to an acceptable level. It’s designed to achieve the same security objective through a different mechanism, so the overall risk remains controlled even though the original control can’t be fully implemented. Detective controls, in contrast, only identify that something has occurred after the fact and don’t substitute for preventing or mitigating a weakness. Corrective controls focus on restoring systems or processes after an incident, rather than offering an alternative safeguard to a missing or weak control. A control owner is simply the person responsible for the control, not a type of control. For example, if a primary control for limiting access is not feasible due to system constraints, a compensating control might combine enhanced access reviews, mandatory dual approvals for high-risk actions, and detailed audit logs to achieve a similar level of risk reduction.

A compensating control is used when the primary safeguard isn’t feasible or has a weakness, providing an alternative measure that still reduces risk to an acceptable level. It’s designed to achieve the same security objective through a different mechanism, so the overall risk remains controlled even though the original control can’t be fully implemented.

Detective controls, in contrast, only identify that something has occurred after the fact and don’t substitute for preventing or mitigating a weakness. Corrective controls focus on restoring systems or processes after an incident, rather than offering an alternative safeguard to a missing or weak control. A control owner is simply the person responsible for the control, not a type of control.

For example, if a primary control for limiting access is not feasible due to system constraints, a compensating control might combine enhanced access reviews, mandatory dual approvals for high-risk actions, and detailed audit logs to achieve a similar level of risk reduction.

More Multiple Choice Questions
Subscribe

Get the latest from Examzify

You can unsubscribe at any time. Read our privacy policy