Understanding compensating controls for risk change
-
- UpdatedFeb 1, 2024
- 1 minute read
- Washington DC
- Security Operations
Compensating controls are the measures taken to reduce the risk posed by vulnerabilities that can't be patched immediately. They can be used to mitigate the likelihood or impact of a successful exploit.
Applying compensating controls can help in reducing the risk of a vulnerability.
The following table shows the use cases for compensating controls:
Use case | Compensating control |
---|---|
A vulnerability in a web server that enables attackers to execute arbitrary code. | Implement a Web application firewall (WAF) to block malicious requests to the web server. |
A vulnerability in an operating system that enables attackers to escalate privileges to root. | Implement an application control to restrict the execution of applications on the host system. |
A vulnerability in a database server that enables attackers to access sensitive data. | Implement network segmentation to isolate the database server from other hosts and critical systems. |
For more information on the impact of compensating controls on the risk score of a vulnerable item and remediation task, see Impact of the compensating controls on risk score and expiration date.
Related Content
- Add a compensating control to the library
As a Vulnerability Manager or Analyst, add a list of compensatory controls to the Compensating Controls library in the Vulnerability Manager Workspace, which can be applied for the risk change of vulnerable items, application vulnerable items, remediation tasks, and application remediation tasks.
- Associate compensating controls with CVEs or TPEs for risk change requests
As a Vulnerability Manager or Analyst, you can associate relevant compensating controls with a CVE or TPE, which can be applied for risk change requests.
- Disable or enable risk change for a CVE or TPE
As a Vulnerability Manager and Analyst, you can disable or enable the risk change requests for the host vulnerabilities associated with a Common Vulnerability Entry (CVE) or Third-party Entry (TPE) in the Vulnerability Manager Workspace.