Compensating Controls vs Defense-in-depth Strategy

Security Controls

The Onion Model depicts the layered defense or defense-in-depth strategy. It implements a variety of categories of safeguards or security controls in serial and integrates people, process, and technology (PPT) or personnel, operations, and technology (POT) capabilities across the organization to enforce security.

Compensating controls provide contingent or alternative protection to existing controls. For example,

  • PIN code is compensating for the Windows Hello facial recognition.
  • A HiTech company’s security baseline requires all mobile devices shall be provisioned with biometric authentication. However, a small portion of those devices cannot meet the requirement; they are exempted and allowed to implement token-based authentication as compensating controls.

Compensating Controls

The security and privacy controls implemented in lieu of the controls in the baselines described in NIST Special Publication 800-53 that provide equivalent or comparable protection for a system or organization.

Source: NIST Glossary

Compensating Security Control

  • A management, operational, and/or technical control (i.e., safeguard or countermeasure) employed by an organization in lieu of a recommended security control in the low, moderate, or high baselines that provides equivalent or comparable protection for an information system.
  • he security controls employed in lieu of the recommended controls in the security control baselines described in NIST Special Publication 800-53 and CNSS Instruction 1253 that provide equivalent or comparable protection for an information system or organization.

Source: NIST Glossary


  • Information security strategy integrating people, technology, and operations capabilities to establish variable barriers across multiple layers and dimensions of the organization.
  • The application of multiple countermeasures in a layered or stepwise manner to achieve security objectives. The methodology involves layering heterogeneous security technologies in the common attack vectors to ensure that attacks missed by one technology are caught by another.

Source: NIST Glossary

An Example of Compensation or Defense-in-depth?

A compensation access control is deployed to provide various options to other existing controls to aid in enforcement and support of security policies. They can be any controls used in addition to, or in place of, another control.

For example, an organizational policy may dictate that all PII must be encrypted. A review discovers that a preventive control is encrypting all PII data in databases, but PII transferred over the network is sent in cleartext. A compensation control can be added to protect the data in transit.

Source: ISC2 CISSP Official Study Guide, 7th Edition


Leave a Reply