Welcome » IT Booklets » Information Security » II Information Security Program Management » II.C Risk Mitigation » II.C.3 Control Types
Management may mitigate information security risks by
implementing controls. Controls may be categorized according to
timing and nature.
It is important to have a layered control system, which deploys
different controls at different points of a business process and
throughout an IT system so that the strength of one control can
compensate for weaknesses in or possible failure of another
control. Therefore, layered controls function in an integrated
fashion to more effectively mitigate risk.
Economic and technical considerations generally affect
prevention and detection or response choices in system design.
Compensating controls are controls that adjust for weaknesses
within the system or process. An example of compensating controls
would be a review of activity logs for applications that do not
allow proper segregation of duties.