What remediation practice involves mitigative measures when a vulnerability cannot be directly eliminated?

The practice of utilizing compensating controls is essential when a vulnerability cannot be directly eliminated. Compensating controls are alternative security measures implemented to reduce the risk associated with a vulnerability. They serve as a stopgap to mitigate potential threats until direct remediation can be achieved, such as deploying patches or updates.

For example, if a software application has a known vulnerability that cannot be patched immediately, an organization might implement additional monitoring, access controls, or intrusion detection systems as compensating controls to safeguard the environment from potential exploitation of that vulnerability. This strategic use of compensating controls helps maintain security posture while working towards a more permanent solution.

In contrast, risk acceptance involves acknowledging the existence of a risk and deciding to proceed without any mitigation if that risk is deemed acceptable. A remediation plan outlines the steps for addressing vulnerabilities but does not specifically focus on alternative measures, while security patching refers to the process of applying fixes to software vulnerabilities directly. Compensating controls are distinct because they provide solutions in scenarios where traditional patching or changes cannot be immediately applied.