Organizations that cannot meet one or more of these provisions may submit a separate written request for approval of an exception in the form of an attachment to this affidavit; any request for exception(s) to these Security Guidelines must include information on compensating controls.
Compensating controls are the security measures the requesting organization has in place that do not specifically comply with one or more provisions of the Security Guidelines but address the underlying security requirement (data encryption, access logging, etc.) referenced in the Security Guidelines provision(s).
This information was previously contained in provision number 9 but has now been moved into a separate provision to ensure that data requestors whose data storage solutions do not comply with one or more provisions of the Security Guidelines are aware of the requirement to submit a description of compensating controls.