Topic 1B: Security Controls

Topic 1B: Security Controls

February 19, 2026 6 min read Cyber Notes
CompTIA Security+ (SY0-701)

Topic 1B: Security Controls

Security Control Categories

Summary

Security controls ensure that systems and data assets maintain confidentiality, integrity, availability, and non-repudiation. These controls are categorized into managerial, operational, technical, and physical, each addressing different aspects of security implementation.

Detailed Explanation

Security Controls

  • Purpose: Provide systems and data assets with confidentiality, integrity, availability, and non-repudiation.
  • Categories:
    • Managerial: Oversight and evaluation.
    • Operational: Implemented by people.
    • Technical: Implemented as systems.
    • Physical: Deter and detect physical access.

Category Overview Table

Category Definition Implementation Type Examples
Managerial Provide oversight of the information system Policies & evaluation Risk identification, evaluation tools
Operational Implemented primarily by people Human-driven controls Security guards, training programs
Technical Implemented as hardware, software, or firmware System-based controls Firewalls, antivirus software, OS access control models
Physical Deter and detect access to premises and hardware Environmental safeguards Security cameras, alarms, gateways, locks, lighting, security guards

Key Points

Security Controls

  • Purpose: Ensure confidentiality, integrity, availability, non-repudiation.
  • Categories: Managerial, operational, technical, physical.

Managerial Controls

  • Oversight: Risk identification, evaluation tools.

Operational Controls

  • People-Based: Security guards, training programs.

Technical Controls

  • System-Based: Firewalls, antivirus software, OS access control models.

Physical Controls

  • Access Deterrence: Security cameras, alarms, gateways, locks, lighting, security guards.

Security Control Functional Types

Summary

Security controls can be defined by their function: preventive, detective, corrective, directive, deterrent, and compensating. Each type serves a specific role in protecting information systems and data assets.

Functional Types Table

Control Type Definition Operation Timing Examples
Preventive Eliminate or reduce the likelihood of an attack succeeding Before an attack Access Control Lists (ACLs), Antimalware Software
Detective Identify and record attempted or successful intrusions During an attack Logs
Corrective Eliminate or reduce the impact of a security policy violation After an attack Backup Systems, Patch Management Systems
Directive Enforce rules of behavior, policies, and procedures Ongoing Employee Contracts, Training Programs
Deterrent Psychologically discourage attackers Before attempt Signs and Warnings
Compensating Substitute for principal controls, providing equivalent or better protection Alternative measure Alternative Technologies

Detailed Explanation

Preventive Controls

  • Definition: Eliminate or reduce the likelihood of an attack succeeding.
  • Operation: Before an attack.
  • Examples:
    • Access Control Lists (ACLs): Configured on firewalls and file systems.
    • Antimalware Software: Blocks malicious processes.

Detective Controls

  • Definition: Identify and record attempted or successful intrusions.
  • Operation: During an attack.
  • Examples:
    • Logs: Record events and activities.

Corrective Controls

  • Definition: Eliminate or reduce the impact of a security policy violation.
  • Operation: After an attack.
  • Examples:
    • Backup Systems: Restore damaged data.
    • Patch Management Systems: Fix vulnerabilities.

Directive Controls

  • Definition: Enforce rules of behavior, policies, and procedures.
  • Examples:
    • Employee Contracts: Set disciplinary procedures.
    • Training Programs: Raise awareness and enforce policies.

Deterrent Controls

  • Definition: Psychologically discourage attackers.
  • Examples:
    • Signs and Warnings: Legal penalties for trespass or intrusion.

Compensating Controls

  • Definition: Substitute for principal controls, providing equivalent or better protection.
  • Examples:
    • Alternative Technologies: Different methods to achieve security.

Key Points

  • Preventive Controls: Prevent attacks (ACLs, antimalware software).
  • Detective Controls: Detect and record intrusions (Logs).
  • Corrective Controls: Mitigate impact post-attack (Backup systems, patch management).
  • Directive Controls: Enforce behavior and policies (Employee contracts, training programs).
  • Deterrent Controls: Discourage attacks (Legal warnings).
  • Compensating Controls: Substitute for primary controls (Alternative security technologies).

Information Security Roles and Responsibilities

Summary

A security policy defines how an organization will protect the confidentiality, availability, and integrity of its data and resources. Effective implementation varies by organization type but aims to ensure a strong security posture. Responsibilities are distributed across various roles, from executives to nontechnical staff.

Detailed Explanation

Security Policy

  • Definition: Formal statement outlining security implementation.
  • Purpose: Protects data confidentiality, availability, and integrity.

Implementation Variations

  • Different Organizations: Schools, firms, manufacturers have unique implementations.
  • Common Goal: Secure employees, equipment, and data.

Organizational Security Posture

  • Framework-Based Controls: Use of best practices and security frameworks.
  • Employee Awareness: Understanding roles and responsibilities.

Roles and Responsibilities Table

Role Responsibility
Chief Information Officer (CIO) Overall IT function, possibly security
Chief Technology Officer (CTO) Effective use of IT products and solutions
Chief Security Officer (CSO) / Chief Information Security Officer (CISO) Dedicated security department
Managers Specific domains like building control, web services
Technical and Specialist Staff Implementing, maintaining, monitoring security policies (e.g., Information Systems Security Officer - ISSO)
Nontechnical Staff Complying with policies and legislation
Directors/Owners External security due care or liability

Shared Responsibility: All employees contribute to security.

Key Points

  • Security Policy: Formalized security implementation; protects data and resources.
  • Implementation Variations: Unique per organization; common goal is asset protection.
  • Organizational Security Posture: Framework-based controls and employee awareness.
  • Roles:
    • CIO: IT and security oversight.
    • CTO: IT product and solution effectiveness.
    • CSO/CISO: Security department management.
    • Managers: Domain-specific responsibilities.
    • Technical Staff: Policy implementation and monitoring.
    • Nontechnical Staff: Policy compliance.
    • Directors/Owners: External security responsibility.

Information Security Competencies

Summary

IT professionals with security responsibilities need a broad skill set, covering network and application design, procurement, and HR. Their roles include risk assessment, system configuration, access control, incident response, and training.

Competencies Table

Area Activities Outcome
Risk Assessments and Testing Participate in risk assessments and security system testing Improve security recommendations
Device and Software Management Specify, source, install, configure secure devices/software Secure and up-to-date systems
Access Control Set up and maintain document access control and user privilege profiles Controlled access to sensitive information
Audit and Monitoring Monitor audit logs, review privileges, document access controls Detect unauthorized access
Incident Response Manage security-related incident response and reporting Mitigate security incidents
Business Continuity & Disaster Recovery Create and test continuity and recovery plans Ensure recovery from disruptions
Training and Education Participate in security training programs Updated skills and knowledge

Key Points

  • Risk Assessments: Assess and recommend improvements.
  • Device Management: Secure installation and configuration.
  • Access Control: Maintain user privilege profiles.
  • Audit and Monitoring: Review logs and access controls.
  • Incident Response: Manage and report incidents.
  • Business Continuity: Create and test recovery plans.
  • Training: Continuous security education.

Information Security Business Units

Summary

Information security business units include the Security Operations Center (SOC), DevSecOps, and Incident Response teams. These units are essential for monitoring, protecting, and responding to security incidents within an organization.

Business Units Table

Unit Definition Key Functions Notes
Security Operations Center (SOC) Centralized location where security professionals monitor and protect critical assets Monitor and protect finance, operations, sales/marketing Common in large organizations
DevSecOps Integration of security into DevOps lifecycle Embed security from planning stage (shift left); collaboration across teams Faster and secure development
Incident Response (CIRT/CSIRT/CERT) Dedicated team managing security incidents Single point of contact; incident handling May be part of SOC or independent

Key Points

Security Operations Center (SOC)

  • Centralized monitoring of critical assets.
  • Covers multiple business functions.
  • Common in large organizations due to cost and complexity.

DevSecOps

  • Security integrated into software development.
  • Shift Left: Early security considerations.
  • Collaboration between developers, administrators, and security specialists.
  • Benefit: Faster, reliable, secure software.

Incident Response

  • Dedicated team (CIRT/CSIRT/CERT).
  • Single point of contact for incidents.
  • Ensures effective incident management.