I have some doubts regarding some cccure Quiz questions and concepts mentioned below. Would really appreciate it if you could take out some time and help me with them. Request you to please provide a quick reply as I need to appear for the exam in the month of July.
#1: I realize that we need to stay in the context of the question in hand (given Qs + 4 options = your world) but for my understanding please clarify what kind of control are these:
Backup – (is it a Recovery control)
BCP - (is it a Recovery control)
Insurance - ?
(Security Awareness = Preventive control as confirmed by the explanation as well)
#2: As per Shon Harris AIO 5th Edition (Pg 239): Any control can really end up being a compensating control. An organization would choose a compensating control if another control is too expensive but protection is still needed.
So no control is a Compensating control to begin with and at all times. Then how do we really determine which Control is a compensating control and which one is not?