1.1 Compare and contrast security controls
📘CompTIA Security+ (SY0-701)
🔹 Understanding Security Controls
Security controls are the safeguards or countermeasures put in place to protect information systems, networks, and data from threats and vulnerabilities.
In simple terms:
Security controls are the defensive measures that help us keep our systems safe from attacks, mistakes, or failures.
Every organization uses different types of controls depending on what needs to be protected and how.
These controls fall into four main categories for the SY0-701 exam:
- Technical controls
- Managerial controls
- Operational controls
- Physical controls
Let’s go through each in detail.
🧩 1. Technical Controls (also called Logical Controls)
Definition:
Technical controls are implemented through technology — they are software or hardware-based mechanisms that protect systems and data automatically.
These controls rely on IT systems, devices, and software configurations rather than people or management policies.
Purpose:
To enforce security automatically through system configuration and tools.
Examples and Explanations:
| Function | Example in IT Environment | Explanation |
|---|---|---|
| Access Control | Login authentication using usernames and passwords | Ensures only authorized users can access systems. |
| Encryption | Encrypting data at rest on a server or in transit over the network | Protects data from being read by unauthorized users if it’s intercepted. |
| Firewalls | Network firewalls, host-based firewalls | Filter traffic to prevent unauthorized access. |
| Antivirus / Anti-malware | Installed on computers or servers | Detects and removes malicious software. |
| Intrusion Detection Systems (IDS) / Intrusion Prevention Systems (IPS) | Network monitoring tools | Detect or stop suspicious activities on a network. |
| Access Control Lists (ACLs) | Applied on routers or switches | Define who can send or receive traffic on a network device. |
| Multi-factor Authentication (MFA) | Requiring password + code or smartcard | Adds an extra layer of protection for user access. |
| Data Loss Prevention (DLP) | Software that monitors data transfers | Prevents sensitive data from leaving the organization. |
Key Point:
Technical controls are technology-driven and automatically enforce security policies.
🧭 2. Managerial Controls (also called Administrative Controls)
Definition:
Managerial controls are implemented by management to define and enforce security policies, procedures, and risk management decisions.
They focus on planning, decision-making, and oversight — ensuring the organization’s security strategy is aligned with business goals.
Purpose:
To govern and direct how security should be managed within an organization.
Examples and Explanations:
| Function | Example in IT Environment | Explanation |
|---|---|---|
| Risk Assessment | Conducting risk analysis on critical systems | Identifies potential threats and their impact. |
| Security Policies | Acceptable Use Policy (AUP), Password Policy | Define how systems should be used securely. |
| Security Audits | Regular internal/external audits | Verify that controls are implemented correctly. |
| Compliance Management | Ensuring compliance with laws (e.g., GDPR, HIPAA) | Keeps organization in line with regulations. |
| Security Planning | Developing an organization’s security framework | Helps plan how to protect systems and data long-term. |
| Vendor Management | Reviewing third-party security controls | Ensures suppliers follow security standards. |
| Performance and Metrics Reviews | Reviewing logs, reports, and incident trends | Helps management make informed security decisions. |
Key Point:
Managerial controls are about governance and oversight — they set the rules that technical and operational controls must follow.
⚙️ 3. Operational Controls
Definition:
Operational controls are implemented by people and involve day-to-day procedures and actions that help protect systems and data.
They ensure that security is properly followed in daily operations and that staff know their roles in maintaining security.
Purpose:
To manage and enforce security practices during daily operations through people, training, and procedures.
Examples and Explanations:
| Function | Example in IT Environment | Explanation |
|---|---|---|
| Security Awareness Training | Regular staff training on phishing, password safety | Ensures employees recognize and avoid security threats. |
| Incident Response Procedures | Steps followed after detecting a data breach | Guides staff on how to contain and report incidents. |
| Change Management | Documenting and reviewing configuration changes | Prevents unauthorized or risky system changes. |
| Configuration Management | Maintaining consistent system settings | Reduces risk of misconfiguration. |
| Account Management | Disabling unused or terminated employee accounts | Prevents unauthorized access from inactive users. |
| Backup and Recovery Operations | Daily data backups and test restores | Ensures data can be recovered if lost or corrupted. |
| Patch Management | Regular software updates | Fixes known vulnerabilities to prevent exploitation. |
| Log Review | Analyzing system or network logs | Helps detect suspicious activities early. |
Key Point:
Operational controls are human-based and depend on processes and procedures to maintain security daily.
🧱 4. Physical Controls
Definition:
Physical controls are security measures that protect the physical environment — such as buildings, data centers, servers, and network equipment.
They prevent unauthorized physical access, damage, or theft of IT assets.
Purpose:
To physically protect IT systems, facilities, and personnel from harm or unauthorized access.
Examples and Explanations:
| Function | Example in IT Environment | Explanation |
|---|---|---|
| Locks and Access Badges | Keycards or biometric scanners for server rooms | Restrict physical entry to authorized personnel only. |
| Surveillance Systems (CCTV) | Cameras monitoring server rooms and entry points | Helps detect or deter unauthorized physical access. |
| Security Guards | Monitoring building entrances | Provide human oversight for facility access. |
| Fencing and Barriers | Around data centers | Protects physical perimeter. |
| Fire Suppression Systems | Smoke detectors, sprinklers, gas-based systems | Prevents damage from fire. |
| Environmental Controls | HVAC systems, humidity control | Protects equipment from overheating or damage. |
| Visitor Logs | Recording visitors entering IT facilities | Tracks who accessed secure areas. |
| Server Racks and Cabinets | Locked enclosures for servers | Prevents tampering or unauthorized access. |
Key Point:
Physical controls protect the hardware, data center, and physical environment that support IT systems.
🔐 Summary Table
| Category | Focus | Implemented By | Examples |
|---|---|---|---|
| Technical | Technology-based protection | IT systems, administrators | Firewalls, encryption, antivirus |
| Managerial | Policies and management oversight | Senior management | Security policies, audits, risk assessments |
| Operational | Daily procedures and user actions | IT staff and employees | Training, patching, backups, incident response |
| Physical | Protect physical environment | Facilities/security teams | Locks, CCTV, fire suppression |
🧠 Exam Tips for CompTIA Security+ (SY0-701)
- Know the difference between categories — many exam questions test your ability to identify which type of control an example represents.
- Remember:
- If it’s technology → Technical
- If it’s policy or management decision → Managerial
- If it’s day-to-day task or process → Operational
- If it’s physical protection → Physical
- The exam may also combine questions, such as asking for which control type applies to implementing multi-factor authentication (Technical) or reviewing logs daily (Operational).
