Compensating Controls
by Gerald Trites

Many of us who have worked in the field in controls work have from time to time been impressed and even amazed at the skill of some people in designing systems sontrols. We recognize in these times just how much of an art form good systems design can be.

The feature article in the Information Systems Security Association (ISSA) Journal this month recognizes this artistry as it relates to the design of compensating controls. When we discover vulnerabilities in a system, one of the first things we do is to look for compensating controls. If there are none, then the vulnerability must be addressed directly, hopefully by changing the system in some way to remove the problem or at least mitigate it. If this proves not to be possible or practical, then we must design a compensating control.

This raises issues, including developing a control that is going to be sustainable and one that will actually mitigate the existing vulnerability. Sometimes, compensating controls are developed that involve more work, but do not actually address the vulnerabilolity.

Compensating controls are not necessarily the most efficient way of dealing with an issue, but they can be effective and necessary. The article, which is available online, discusses these and other issues around compensating controls, in an entertaining and informative way.