Topic 1A: Security Concepts

Topic 1A: Security Concepts

February 19, 2026 4 min read Cyber Notes Facile
CompTIA Security+ (SY0-701)

Information Security

Summary

Information security (infosec) involves protecting data resources from unauthorized access, attack, theft, or damage. It ensures data confidentiality, integrity, and availability, collectively known as the CIA Triad. Non-repudiation is also a critical aspect, ensuring actions cannot be denied.

Detailed Explanation

CIA Triad

Confidentiality

  • Definition: Information can only be read by authorized individuals.
  • Purpose: Prevents unauthorized access to sensitive data.

Integrity

  • Definition: Data is stored and transferred as intended, without unauthorized modifications.
  • Purpose: Ensures data accuracy and trustworthiness.

Availability

  • Definition: Information is accessible to authorized users when needed.
  • Purpose: Ensures reliable access to data and resources.

Non-repudiation

  • Definition: Ensures that a person cannot deny performing an action, such as creating, modifying, or sending a resource.
  • Example: Legal documents, like wills, often require witnesses to confirm their execution.

Key Points

CIA Triad

  • Confidentiality: Authorized access only.
  • Integrity: Accurate and unaltered data.
  • Availability: Reliable access for authorized users.

Non-repudiation

  • Definition: Actions cannot be denied.
  • Example: Witnesses for legal documents.

Cybersecurity Framework

Summary

Cybersecurity focuses on securing processing hardware and software to ensure information security. The National Institute of Standards and Technology (NIST) framework classifies cybersecurity tasks into five functions: Identify, Protect, Detect, Respond, and Recover.

Detailed Explanation

Identify

  • Definition: Develop security policies and capabilities.
  • Tasks: Evaluate risks, threats, and vulnerabilities; recommend security controls to mitigate them.

Protect

  • Definition: Ensure security is embedded in every stage of IT hardware and software lifecycle.
  • Tasks: Procure, develop, install, operate, and decommission IT assets securely.

Detect

  • Definition: Perform ongoing monitoring to ensure controls are effective.
  • Tasks: Proactively monitor for new types of threats.

Respond

  • Definition: Address threats to systems and data security.
  • Tasks: Identify, analyze, contain, and eradicate threats.

Recover

  • Definition: Restore systems and data after an attack.
  • Tasks: Implement cybersecurity resilience measures.

Key Points

Identify

  • Policies and Capabilities: Develop and evaluate.
  • Risks and Controls: Assess and recommend.

Protect

  • Lifecycle Security: Embed security in IT asset lifecycle.
  • Operations: Securely manage IT assets.

Detect

  • Monitoring: Ongoing and proactive.
  • Threats: Identify new threats.

Respond

  • Threat Management: Analyze and contain threats.
  • Eradication: Remove threats.

Recover

  • Resilience: Restore systems and data.
  • Recovery Measures: Implement resilience strategies.

Gap Analysis

Summary

Gap analysis identifies deviations between an organization’s current security systems and the requirements or recommendations of a cybersecurity framework. It helps in achieving compliance and improving security by highlighting missing or poorly configured controls and providing remediation recommendations.

Detailed Explanation

Security Functions and Outcomes

Identify Function

  • Example Outcome: Inventory of company assets.
  • Achievement: Implementing security controls.

Security Controls

  • Challenges: Numerous categories and types make selection difficult.

Cybersecurity Framework

  • Purpose: Guides selection and configuration of controls.
  • Benefits: Prevents building security programs in isolation; ensures important security concepts are covered.

Framework Usage

  • Capabilities: Allows objective assessment of current cybersecurity capabilities.
  • Target Level: Identifies target capability level and prioritizes investments.
  • Compliance: Provides structure for risk management and regulatory compliance.

Gap Analysis Process

  • Purpose: Identifies deviations from framework requirements.
  • Timing: Performed when adopting a framework or meeting new compliance requirements; repeated periodically.
  • Report: Provides overall score, list of missing/poorly configured controls, and remediation recommendations.
  • Involvement: May involve third-party consultants for complex frameworks and compliance requirements.

Key Points

Security Functions and Outcomes

  • Identify Function: Inventory of assets.
  • Security Controls: Implement to achieve outcomes.

Security Controls

  • Selection Challenges: Numerous categories and types.

Cybersecurity Framework

  • Guidance: Selection and configuration of controls.
  • Benefits: Comprehensive security program development.

Framework Usage

  • Capabilities Assessment: Objective statement of current capabilities.
  • Target Level: Identify and prioritize investments.
  • Compliance: Structure for risk management and compliance.

Gap Analysis Process

  • Purpose: Identify deviations from framework.
  • Timing: Initial adoption, new compliance, periodic review.
  • Report: Score, missing controls, remediation.
  • Consultants: May involve third-party specialists.

Access Control

Summary

Access control systems ensure that information systems meet the goals of the CIA triad (Confidentiality, Integrity, Availability). They govern how subjects (users, devices, processes) interact with objects (resources like networks, servers, databases). Modern access control is typically implemented through Identity and Access Management (IAM) systems, which include processes for identification, authentication, authorization, and accounting.

Detailed Explanation

Access Control System

  • Purpose: Ensures information systems meet CIA triad goals.
  • Subjects: People, devices, software processes requesting access.
  • Objects: Resources such as networks, servers, databases, apps, files.
  • Permissions: Rights assigned to subjects for accessing resources.

Identity and Access Management (IAM)

Identification

  • Definition: Creating an account or ID representing the user, device, or process.
  • Example: Unique user accounts on a network.

Authentication

  • Definition: Proving the identity of a subject attempting to access a resource.
  • Example: Passwords for people, digital certificates for systems.

Authorization

  • Definition: Determining and enforcing rights on resources.
  • Models:
    • Discretionary: Object owner allocates rights.
    • Mandatory: System-enforced rules predetermine rights.

Accounting

  • Definition: Tracking and alerting on the usage of resources.
  • Example: Recording customer actions on an e-commerce site.

Key Points

Access Control System

  • CIA Triad: Confidentiality, Integrity, Availability.
  • Subjects and Objects: Interaction governance.
  • Permissions: Rights assignment.

IAM Processes

  • Identification: Unique representation of users/devices.
  • Authentication: Proving identity.
  • Authorization: Rights determination and enforcement.
  • Accounting: Usage tracking and alerting.

E-commerce Example

  • Identification: Verify legitimate customers.
  • Authentication: Unique accounts management.
  • Authorization: Valid payment mechanisms, special offers.
  • Accounting: Record customer actions.