Effective control selection

3.2 Secure enterprise infrastructure

📘CompTIA Security+ (SY0-701)

Definition:
Effective control selection is the process of choosing the right security controls to protect an organization’s assets, reduce risks, and ensure compliance with security policies. A security control is any safeguard or countermeasure implemented to protect systems, networks, or data.

The main goal is to match the right control to the right risk so that the organization is protected efficiently without wasting resources.

1. Types of Security Controls

Security controls are generally categorized into three main types, which you need to know for the exam:

A. Administrative (Management) Controls

  • Focus: Policies, procedures, and governance.
  • Purpose: Guide user behavior and ensure proper security practices.
  • Examples:
    • Security policies (e.g., password policy, access control policy)
    • Risk assessments
    • Training programs
    • Incident response planning
  • Key point for the exam: These controls do not directly protect systems, but guide people and processes to follow security best practices.

B. Technical (Logical) Controls

  • Focus: Technology-based solutions.
  • Purpose: Protect systems, networks, and data directly.
  • Examples:
    • Firewalls (block unauthorized access)
    • Antivirus/anti-malware
    • Encryption (protect data in transit and at rest)
    • Multi-factor authentication (MFA)
  • Key point for the exam: Technical controls are often automated and enforce rules in real time.

C. Physical Controls

  • Focus: Physical access and environmental security.
  • Purpose: Protect the physical assets of the organization.
  • Examples:
    • Locked server rooms or data centers
    • Security guards and access cards
    • CCTV and surveillance systems
    • Environmental controls (smoke detectors, fire suppression)
  • Key point for the exam: Even though digital threats dominate, physical security is still critical, because attackers can bypass technical controls if they gain physical access.

2. Selecting Effective Controls

When selecting controls, you need to consider multiple factors to ensure they actually reduce risk without overcomplicating operations.

A. Risk Assessment

  • Step 1: Identify the assets that need protection (servers, sensitive data, network devices, applications).
  • Step 2: Determine the threats to those assets (hackers, malware, insider threats).
  • Step 3: Evaluate vulnerabilities (weak passwords, unpatched software, unsecured Wi-Fi).
  • Step 4: Decide on controls to mitigate the risk.

Example:
If a company stores sensitive customer data, risk assessment might show that data theft is a big threat. A control like encryption and MFA would directly reduce that risk.

B. Control Effectiveness

When evaluating a control, ask:

  • Does it prevent, detect, or correct a security issue?
  • Does it fit the organization’s environment? (e.g., cloud apps vs. on-premise servers)
  • Is it cost-effective? Not all controls are worth the expense.
  • Is it scalable? Can it grow with the organization?

3. Control Objectives

Security controls usually aim to achieve one or more of these objectives:

  1. Preventive Controls: Stop security incidents before they happen.
    • Example: Firewall blocks unauthorized network traffic.
  2. Detective Controls: Identify incidents after they occur.
    • Example: Intrusion detection systems (IDS) or log monitoring.
  3. Corrective Controls: Fix issues after they happen.
    • Example: Backup restoration, patching a system after a malware infection.
  4. Deterrent Controls: Discourage malicious behavior.
    • Example: Warning banners on systems or access audits.
  5. Compensating Controls: Alternative solutions when primary controls are not feasible.
    • Example: Using temporary access restrictions if MFA cannot be implemented immediately.

Tip for the exam: You may be asked to identify the type of control based on a scenario. Memorize examples for each category.

4. Mapping Controls to the CIA Triad

Every control should support one or more aspects of the CIA triad, which is a core concept in cybersecurity:

  • Confidentiality: Keep data private.
    • Control example: Encryption, access controls.
  • Integrity: Ensure data is not altered or tampered with.
    • Control example: Hashing, digital signatures, file integrity monitoring.
  • Availability: Ensure systems and data are accessible when needed.
    • Control example: Redundant servers, backups, failover systems.

5. Consider the Environment

  • Cloud vs. On-Premises: Some controls are different depending on where resources are hosted.
    Example: Cloud platforms may offer built-in security controls like IAM policies, but physical access controls are still your responsibility.
  • Regulatory Compliance: Some industries require specific controls.
    Example: HIPAA for healthcare data, PCI DSS for credit card info.

6. Cost vs. Benefit

  • Selecting controls is not just about security—it’s about balancing risk and cost.
  • High-risk, high-impact assets usually get stronger controls.
  • Low-risk assets may get lighter, cheaper controls.

7. Common Control Selection Scenarios

Here are typical IT examples you might see in Security+ exam questions:

ScenarioSuggested ControlsTypeCIA Triad
Protecting sensitive files on a serverFile encryption, access control lists (ACLs)TechnicalConfidentiality
Detecting unusual login activitySIEM, log monitoring, IDSTechnicalIntegrity / Availability
Preventing unauthorized access to server roomBadge access, security guards, CCTVPhysicalConfidentiality / Availability
Training employees about phishingSecurity awareness trainingAdministrativeConfidentiality
System failure recoveryBackups, failover serversTechnical/CorrectiveAvailability

8. Key Exam Tips

  1. Understand the types of controls (Administrative, Technical, Physical) and their examples.
  2. Know the objectives of controls (Preventive, Detective, Corrective, Deterrent, Compensating).
  3. Always connect controls to the CIA triad.
  4. Remember to consider the environment, cost, and risk when selecting controls.
  5. Learn typical IT examples because the exam questions are usually scenario-based.

Summary:
Effective control selection is about choosing the right controls to protect your organization’s assets while considering risk, cost, and environment. Controls can be administrative, technical, or physical, and should support the CIA triad. Always remember the type of control, its objective, and when it’s best applied.

Leave a Reply

Your email address will not be published. Required fields are marked *

Buy Me a Coffee

Powered by
Necessary cookies enable essential site features like secure log-ins and consent preference adjustments. They do not store personal data.
None
Functional cookies support features like content sharing on social media, collecting feedback, and enabling third-party tools.
None
Analytical cookies track visitor interactions, providing insights on metrics like visitor count, bounce rate, and traffic sources.
None
Advertisement cookies deliver personalized ads based on your previous visits and analyze the effectiveness of ad campaigns.
None
Powered by