Definitions Edit

General Edit

A compensating control is

a cybersecurity control employed in lieu of a recommended control that provides equivalent or comparable control.[1]
[a] management, operational, and/or technical control (e.g., safeguard or countermeasure) employed by an organization in lieu of a recommended security control in the low, moderate, or high baselines that provides equivalent or comparable protection for an information system.[2]

Medical advice Edit

a safeguard or countermeasure, external to the device, employed by a user in lieu of, or in the absence of sufficient controls that were designed in by a device manufacturer, and that provides supplementary or comparable cyber protection for a medical device.[3]

References Edit

  1. Electricity Subsector Cybersecurity Risk Management Process, at 61.
  2. FFIEC Information Technology Examination Handbook-Information Security, at 76.
  3. Postmarket Management of Cybersecurity in Medical Devices: Draft Guidance for Industry and Food and Drug Administration Staff, at 7-8.