Security Control Categories
- Technical controls – Implemented through technology (firewalls, encryption, access control lists).
- Managerial controls – Administrative policies and procedures (risk assessments, security policies).
- Operational controls – Day-to-day processes performed by people (security awareness training, background checks).
- Physical controls – Tangible barriers (locks, fences, badge readers, security cameras).
Security Control Types
- Preventive – Stop an incident before it occurs (e.g., firewall rules).
- Detective – Identify incidents in progress or after the fact (e.g., IDS, audit logs).
- Corrective – Minimize damage and restore systems after an incident (e.g., backups, patches).
- Deterrent – Discourage potential attackers (e.g., warning signs, login banners).
- Compensating – Alternative controls used when primary controls are not feasible.
- Directive – Direct subjects toward secure behavior (e.g., acceptable use policies).
Core Security Principles (CIA Triad)
- Confidentiality – Ensure information is accessible only to authorized parties.
- Integrity – Ensure data is accurate and has not been improperly modified.
- Availability – Ensure systems and data are accessible when needed.
Additional Key Concepts
- Non-repudiation – Proof that a specific entity performed an action; commonly achieved with digital signatures.
- Authentication, Authorization, and Accounting (AAA) – The framework for verifying identity, granting access, and logging activity.
- Zero Trust – A model that assumes no user or device is trusted by default, requiring continuous verification regardless of network location.
- Gap analysis – Comparing current security posture against a desired or required baseline to identify deficiencies.
- Security through obscurity – Relying solely on secrecy of design as a security mechanism; considered weak and insufficient on its own.
The SY0-701 exam expects candidates to recognize these control categories and types in scenario-based questions and to apply core principles when evaluating security decisions.