In today’s security landscape, organizations must adopt a multi-layered approach to protect their valuable assets and sensitive data. Security controls form the backbone of any robust security environment, offering a range of measures to mitigate risks, detect incidents, and ensure compliance with current regulations. These controls form the basis of company policies.

This chapter covers the first exam objective in Domain 1.0, General Security Concepts, of the CompTIA Security+ exam. In this chapter, we will look at various types of security controls, including technical, managerial, operational, and physical. We will then explore the distinct characteristics and applications of preventive, deterrent, detective, corrective, compensating, and directive controls, empowering organizations to make informed decisions on their security strategy.

This chapter will provide an overview of why companies rely on these controls to keep their environments safe to ensure...

The four main control categories are technical, managerial, operational, and physical. Each category represents a different aspect of control within an organization and is crucial for ensuring efficiency, effectiveness, and compliance. Each of these categories is explained in the following sections.

Technical Controls

Technical controls play a crucial role in minimizing vulnerabilities within an organization’s technical systems, including computer networks, software, and data management. Their primary focus is on upholding system integrity, mitigating the risk of unauthorized access, and protecting sensitive data from potential threats. By implementing effective technical control measures, organizations can significantly reduce vulnerabilities and enhance the security of their technological infrastructure. Examples of technical controls are as follows:

• Firewalls: Firewalls are a common technical control used to protect computer networks from...

Control types are essential components of an effective management system that help organizations achieve their objectives and ensure the smooth operation of processes. The following list defines these control types, providing an example for each:

• Preventive controls: These controls are designed to prevent problems or risks from occurring in the first place. They focus on eliminating or minimizing potential threats before they can cause harm. Examples of preventative controls include firewall installations to prevent unauthorized access to computer networks by using access control lists, employee training programs to educate staff about safety procedures and prevent workplace accidents, and quality control checks in the manufacturing process to prevent defects.
• Deterrent controls: Deterrent controls aim to discourage individuals from engaging in undesirable behaviors or activities. They create a perception of risk or negative consequences to deter potential...

This chapter reviewed the control categories that help maintain security and efficiency within organizations. We learned that technical controls use advanced technology to protect systems and information, managerial controls establish policies and procedures to guide and oversee operations, operational controls ensure that day-to-day activities adhere to established processes, and physical controls involve tangible measures to safeguard assets and facilities. These categories all work together to create a comprehensive control framework, combining technological safeguards, effective management, streamlined operations, and physical security measures, thus promoting a secure and well-managed organizational environment.

The knowledge gained in this chapter will prepare you to answer any questions relating to Exam Objective 1.1 in your CompTIA Security+ certification exam.

The next chapter is Chapter 2, Summarize fundamental security concepts.

Compare and contrast various types of security controls.

• Categories of security controls:
  • Technical controls: Technology-based measures such as firewalls and encryption
  • Managerial controls: Policies, procedures, and guidelines for security management
  • Operational controls: Day-to-day security practices such as monitoring and access management
  • Physical controls: Measures to safeguard physical assets and premises
• Types of security controls:
  • Preventive controls: Aimed at preventing security incidents
  • Deterrent controls: Intended to discourage potential attackers
  • Detective controls: Focused on identifying and detecting security incidents
  • Corrective controls: Implemented after an incident to mitigate the impact
  • Compensating controls: Alternative measures to compensate for inadequate primary controls
  • Directive controls: Policies or regulations providing specific guidance

The following questions are designed to check that you have understood the information in the chapter. For a realistic practice exam, please check the practice resources in our exclusive online study tools (refer to Chapter 29, Accessing the online practice resources for instructions to unlock them). The answers and explanations to these questions can be found via this link.

1. A company has guards at the gate, guards at the entrance to its main building, and an access control vestibule inside the building. Access to the office where the company’s data resides is controlled through two additional doors that use RFID (radio frequency identification) locks. Which control types are being adopted by the company? (Select TWO.)
   1. Preventive
   2. Deterrent
   3. Corrective
   4. Physical
2. One of the file servers of an organization has suffered an attack. The organization’s IT administrator is searching the log files to understand what happened. What type of control...