Audit Information systems & IT Security
Audit Information systems & IT Security
Menu

: Home

: Terminology

: Best Practice
: : COBIT
: : ISO 27002 (ISO 17799)
: : ISO 27001
: : ISO 27000 Series
: : ISO 20000 - ITIL
: : COSO
: : Info Security Policy
: : Security Domains

: SOX

: Links
: : Organisations
: : Standards Orgs
: : Audit Links
: : Security Links

: The News Page

: Your IP Address

: Contact
: Legal Disclaimer
Search







Audit Information systems & and IT Security

Information System audit and IT Security

Definitions and Terminology

A B C D E F G H I J K L M N O P Q R S T U V W X Y Z


Compensating controls


controls that operate at a level of precision that would result in the prevention or detection of a misstatement that was more than inconsequential or material, as applicable, to annual or interim financial statements. The level of precision should be established considering the possibility of further undetected misstatements.

source: Framework for Evaluating Control Excepti:IIA:2004

Compensating controls may be considered when an entity cannot meet a requirement explicitly as stated, due to legitimate technical or documented business constraints, but has sufficiently mitigated the risk associated with the requirement through implementation of other controls. Compensating controls must: (1) Meet the intent and rigor of the original PCI DSS requirement; (2) Provide a similar level of defense as the original PCI DSS requirement; (3) Be “above and beyond” other PCI DSS requirements (not simply in compliance with other PCI DSS requirements); and (4) Be commensurate with the additional risk imposed by not adhering to the PCI DSS requirement. See Compensating Controls Appendices B and C in PCI DSS Requirements and Security Assessment Procedures for guidance on the use of compensating controls.

source: PCI DSS, 2008


Google
 
Web www.audit-is.com

 

 



   
Auditing Security and IT Systems
Copyright 2006-2008. All Rights Reserved. Something missing on this page? Let us know