CompTIA Security+ SY0-701 1.1 Study Guide: Understanding Security Controls

In the field of IT security, professionals face a constant barrage of risks from attackers seeking to gain unauthorized access to systems. The goal of security is to implement a layered defense to prevent these security events from occurring, minimize their impact if they do, and limit the damage once a breach is detected. This protection extends beyond just data to include physical systems, buildings, and personnel. The tools used to achieve this are known as security controls. This guide breaks down the essential categories and types of security controls you need to know for the CompTIA Security+ SY0-701 exam.

The Four Categories of Security Controls

Security controls can be broadly organized into four main categories, each defining the fundamental nature of the control.

1. Technical Controls

Technical controls are implemented using technology, software, or systems to enforce security. These are the logical protections configured by administrators.

• Definition: Controls that use technical systems to allow or disallow specific functions.
• Examples from Source:
  • Operating system policies and procedures
  • Firewalls
  • Antivirus software
• Real-World Analogy: Think of the passcode or facial recognition feature on a smartphone. It's a technical system that authenticates a user and grants or denies access to the device's functions.

2. Managerial Controls

Managerial controls are centered on policies, procedures, and documentation that guide people's actions and define security best practices.

• Definition: Controls implemented through security policies, procedures, and standard operating procedures to guide personnel.
• Examples from Source:
  • Official security policy documentation
  • Onboarding policies for new hires
  • Policies for reporting security issues
• Real-World Analogy: A company's employee handbook is a managerial control. It doesn't physically stop an employee from doing something, but it documents the rules, expectations, and consequences for behavior.

3. Operational Controls

Operational controls are executed by people rather than technology. They focus on the day-to-day human-driven processes that support security.

• Definition: Controls that are set and managed by people.
• Examples from Source:
  • Security guards
  • Monthly "lunch and learn" security training sessions
  • Security awareness programs and posters
  • Contacting law enforcement
• Real-World Analogy: A school's fire drill is an operational control. It is a human-led procedure designed to ensure people know how to respond safely during an emergency.

4. Physical Controls

Physical controls are tangible mechanisms designed to limit physical access to buildings, rooms, or devices.

• Definition: Controls that restrict physical access to a facility or piece of equipment.
• Examples from Source:
  • Guard shacks
  • Fences and locks
  • Badge readers
  • Warning signs
  • Fire extinguishers
• Real-World Analogy: The lock on the front door of a house is a classic physical control. It is a tangible barrier that prevents unauthorized physical entry.

The Six Types of Security Controls

While categories define what a control is made of (technology, policy, people, or physical objects), control types define what the control does. Each type can be implemented using any of the four categories.

1. Preventive Controls

These controls are proactive, designed to stop a security incident before it can happen.

• Function: Limits access to a resource to prevent an event from occurring.
• Examples:
  • Technical: Firewall rules that block malicious traffic.
  • Managerial: Onboarding policies that define access rights from the start.
  • Operational: A guard shack where personnel check identification.
  • Physical: Door locks that prevent entry into a secure room.

2. Deterrent Controls

These controls are designed to discourage a potential attacker from proceeding with an attack. They may not physically stop an action, but they make it less appealing.

• Function: Discourages an attack but may not actively prevent it.
• Examples:
  • Technical: A splash screen on an application that warns against unauthorized use.
  • Managerial: The threat of demotion or dismissal for accessing unauthorized data.
  • Operational: A front reception desk greeting every visitor, making them feel observed.
  • Physical: Warning signs detailing consequences for trespassing.

3. Detective Controls

These controls are activated during or after an event to identify that a breach has occurred and log the details.

• Function: Identifies and provides a warning when a breach has occurred.
• Examples:
  • Technical: System logs that record all system activity for later review.
  • Managerial: A policy requiring the review of login reports to spot anomalies.
  • Operational: Security guards patrolling a property to look for signs of intrusion.
  • Physical: Motion detectors that send an alert when movement is detected in a restricted area.

4. Corrective Controls

These controls are reactive and are used after an incident has been detected to reverse its impact or restore normal operations.

• Function: Reverses the impact of an event or minimizes downtime after an incident.
• Examples:
  • Technical: Restoring a system from a known-good backup after a ransomware attack.
  • Managerial: Policies that define the process for reporting and escalating security issues.
  • Operational: Contacting law enforcement to handle a physical breach.
  • Physical: A fire extinguisher used to put out a fire and prevent further damage.

5. Compensating Controls

These controls are used as alternative measures when a primary control is not feasible or is temporarily unavailable.

• Function: Provides an alternative method of control when the primary one is not viable.
• Examples:
  • Technical: A firewall rule that blocks access to a vulnerable service until a security patch can be applied.
  • Managerial: Separation of duties, ensuring no single individual has complete control over a critical process.
  • Operational: Requiring multiple security guards to work simultaneously to prevent any single point of compromise.
  • Physical: A power generator that provides electricity during a power outage.

6. Directive Controls

These are administrative controls that specify acceptable rules of behavior within an organization. They rely on people following instructions.

• Function: Directs individuals toward more secure actions and behaviors.
• Examples:
  • Technical: A policy requiring users to store sensitive information in a specific encrypted folder.
  • Managerial: Compliance policies and procedures documented for all employees to follow.
  • Operational: Security policy training courses for users.
  • Physical: A sign on a door that reads "Authorized Personnel Only."

Summary Matrix of Controls

The following table summarizes the examples provided in the source material, mapping each control type to a control category.

Final Thoughts and Next Steps

Understanding the matrix of security controls—how the four categories intersect with the six types—is fundamental to designing a robust, layered security posture. This framework is not just an academic exercise; it is the language security professionals use to build and assess real-world defenses. As technology and threats evolve, new controls will emerge, but they will almost certainly fit within this foundational structure.

As you move forward, consider this: Can a single security measure, like a biometric scanner, function as a preventive, deterrent, and detective control all at once?

Use this understanding as a launchpad to explore each control type in greater depth. Investigate the specific technologies, policies, and procedures that bring these concepts to life. Your journey to achieving the Security+ certification is a marathon, not a sprint, and mastering these core principles is your first and most critical step. Keep studying, stay curious, and build your expertise one control at a time.