A management, operational, and/or technical control (e.g., safeguard or countermeasure) employed by an organization in lieu of a recommended security control in the low, moderate, or high baselines that provide equivalent or comparable protection for a process or system. Adapted from: FFIEC IT Examination Handbook, Information Security. 2021. https://ithandbook.ffiec.gov/glossary.aspx
