2026 NEW VERSION D329 Network and Security -
Applications COMPTIA Security+ OA Study Notes: Key
Concepts & Definitions Western Governors University
Information Security = Protecting the data Information Systems Security =
Devices that hold the data
Confidentiality: ensures that info is only accessible to those with the appropriate
authorization
Integrity: ensures data remains accurate & unaltered unless modification is required
Availability: ensures that information & resources are accessible & functional when
needed by authorized users
Threat: anything that could cause harm, loss, damage, or compromise to IT systems
-natural disasters, cyber-attacks, data integrity breaches, disclosure of information
Vulnerability: any weakness in the system design or implementation
-bugs, misconfigurations, improper protection, missing patches, lack of physical
security
Threat + Vulnerability = Risk
Confidentiality------ Encryption***
Encryption: process of converting data into code to prevent unauthorized access
Access Controls: ensure only authorized ppl can access certain types of data
Data Masking: method that involves obscuring data within a database to make it
inaccessible for unauthorized users while retaining the real data’s authenticity & use for
authorized users
Physical Sec. Measures: used to ensure confidentiality for physical types of data &
,digital info contained on servers & workstations
Training/Awareness: conducting regular training on the security awareness best
practices that employees can use to protect the organizations sensitive data
Integrity ------- Hashing***
Hashing: process of converting data into a fixed-size value = Hash Digest (digital
fingerprint)
Digital Signatures: use encryption to ensure integrity & authenticity
Checksums: method to verify the integrity of data during transmission
Access Controls: ensure that only authorized ppl can modify data & reduce the risk
of unintentional or malicious alterations
Regular Audits: involve reviewing logs & operations to ensure that only authorized
changes have been made & any discrepancies are addressed
Availability ------- Redundancy***
,Non-repudiation -------- Digital Signatures***
-focused on providing undeniable proof in digital transactions – a security measure
that ensures individuals or entities involved in a transaction cannot deny their
participation or the authenticity of their actions.
Digital Signature: created by first hashing a particular message or communication
to be digitally signed & encrypting the has digest w/ the user’s private key using
asymmetric encryption
Authentication
-security measure that ensures individuals/entities are who they claim to be during
a communication/transaction
Factors: MFA or 2FA
-Something you know -Something you do
-Something you have -Somewhere you are
-Something you are
Authorization
-permissions & privileges granted to users/entities after they have been
authenticated
Accounting
-security measure that ensures all user activities are properly tracked & recorded
SECURITY CONTROLS
Technical Controls: the technologies, hardware & software mechanisms that are
implemented to manage & reduce risks
Managerial Controls: aka Admin controls; involve the strategic planning &
governance side of security
Operational Controls: procedures & measures that are designed to protect data on
a day-to-day basis & are mainly governed by internal processes & human actions
-backup procedures, account audits, user training programs
Physical Controls: tangible, real-world measures taken to protect assets
CONTROL TYPES
Preventative: (build our foundation) proactive measures implemented to thwart
potential security threats or breaches
Deterrent: (discourage threats) aim to discourage potential attackers by making
the effort seem les appealing or more challenging
, Detective: (keep a watchful eye) monitor & alert organizations to malicious
activities as they occur or shortly thereafter
Corrective: (jump in during emergencies) mitigate any potential damage & restore
the systems to their normal state
Compensating: (offer backups & migrations) alternative measure that are
implemented when primary security controls are not feasible or effective
Directive: (guide the entire process) often rooted in policy or documentation & set
the standards for behavior within an organization (they guide, inform, or mandate
different actions)
Gap Analysis: process of evaluating the differences between an organization’s current
performance and its desired performance
-is a powerful tool that can help organizations to improve their security & their
performance by identifying areas where improvements can be made
Zero-Trust: demands verification for every device, user & transaction within the
network, regardless of its origin
Need to use two different planes to create a Zero Trust architecture: Control
Plane & Data Plane
Control Plane: lays out the policies & procedures
-the overarching framework & set of components responsible for defining,
managing, & enforcing the policies related to user & system access within an
organization – provides a centralized way to dictate & control how, when & where access
is going to be granted to ensure that only authenticated & authorized entities can access
specific resources.
Adaptive Identity: use adaptive identities that rely on real-time validation
that takes into account the user’s behavior, device, location, & more.
Threat scope reduction: limit the user’s access to only what they need for
their work tasks because this drastically reduces the networks potential attack surface
Policy-driven access control: entails developing, managing, & enforcing user
access policies based on their roles & responsibilities
The control plane will use a Policy Engine & a Policy Administrator to make decision
about access
Policy Engine: cross-references the access request with its predefined
policies, like a rule book
Policy Administrator: is used to establish & manage the access policies, who
gets access to what
Applications COMPTIA Security+ OA Study Notes: Key
Concepts & Definitions Western Governors University
Information Security = Protecting the data Information Systems Security =
Devices that hold the data
Confidentiality: ensures that info is only accessible to those with the appropriate
authorization
Integrity: ensures data remains accurate & unaltered unless modification is required
Availability: ensures that information & resources are accessible & functional when
needed by authorized users
Threat: anything that could cause harm, loss, damage, or compromise to IT systems
-natural disasters, cyber-attacks, data integrity breaches, disclosure of information
Vulnerability: any weakness in the system design or implementation
-bugs, misconfigurations, improper protection, missing patches, lack of physical
security
Threat + Vulnerability = Risk
Confidentiality------ Encryption***
Encryption: process of converting data into code to prevent unauthorized access
Access Controls: ensure only authorized ppl can access certain types of data
Data Masking: method that involves obscuring data within a database to make it
inaccessible for unauthorized users while retaining the real data’s authenticity & use for
authorized users
Physical Sec. Measures: used to ensure confidentiality for physical types of data &
,digital info contained on servers & workstations
Training/Awareness: conducting regular training on the security awareness best
practices that employees can use to protect the organizations sensitive data
Integrity ------- Hashing***
Hashing: process of converting data into a fixed-size value = Hash Digest (digital
fingerprint)
Digital Signatures: use encryption to ensure integrity & authenticity
Checksums: method to verify the integrity of data during transmission
Access Controls: ensure that only authorized ppl can modify data & reduce the risk
of unintentional or malicious alterations
Regular Audits: involve reviewing logs & operations to ensure that only authorized
changes have been made & any discrepancies are addressed
Availability ------- Redundancy***
,Non-repudiation -------- Digital Signatures***
-focused on providing undeniable proof in digital transactions – a security measure
that ensures individuals or entities involved in a transaction cannot deny their
participation or the authenticity of their actions.
Digital Signature: created by first hashing a particular message or communication
to be digitally signed & encrypting the has digest w/ the user’s private key using
asymmetric encryption
Authentication
-security measure that ensures individuals/entities are who they claim to be during
a communication/transaction
Factors: MFA or 2FA
-Something you know -Something you do
-Something you have -Somewhere you are
-Something you are
Authorization
-permissions & privileges granted to users/entities after they have been
authenticated
Accounting
-security measure that ensures all user activities are properly tracked & recorded
SECURITY CONTROLS
Technical Controls: the technologies, hardware & software mechanisms that are
implemented to manage & reduce risks
Managerial Controls: aka Admin controls; involve the strategic planning &
governance side of security
Operational Controls: procedures & measures that are designed to protect data on
a day-to-day basis & are mainly governed by internal processes & human actions
-backup procedures, account audits, user training programs
Physical Controls: tangible, real-world measures taken to protect assets
CONTROL TYPES
Preventative: (build our foundation) proactive measures implemented to thwart
potential security threats or breaches
Deterrent: (discourage threats) aim to discourage potential attackers by making
the effort seem les appealing or more challenging
, Detective: (keep a watchful eye) monitor & alert organizations to malicious
activities as they occur or shortly thereafter
Corrective: (jump in during emergencies) mitigate any potential damage & restore
the systems to their normal state
Compensating: (offer backups & migrations) alternative measure that are
implemented when primary security controls are not feasible or effective
Directive: (guide the entire process) often rooted in policy or documentation & set
the standards for behavior within an organization (they guide, inform, or mandate
different actions)
Gap Analysis: process of evaluating the differences between an organization’s current
performance and its desired performance
-is a powerful tool that can help organizations to improve their security & their
performance by identifying areas where improvements can be made
Zero-Trust: demands verification for every device, user & transaction within the
network, regardless of its origin
Need to use two different planes to create a Zero Trust architecture: Control
Plane & Data Plane
Control Plane: lays out the policies & procedures
-the overarching framework & set of components responsible for defining,
managing, & enforcing the policies related to user & system access within an
organization – provides a centralized way to dictate & control how, when & where access
is going to be granted to ensure that only authenticated & authorized entities can access
specific resources.
Adaptive Identity: use adaptive identities that rely on real-time validation
that takes into account the user’s behavior, device, location, & more.
Threat scope reduction: limit the user’s access to only what they need for
their work tasks because this drastically reduces the networks potential attack surface
Policy-driven access control: entails developing, managing, & enforcing user
access policies based on their roles & responsibilities
The control plane will use a Policy Engine & a Policy Administrator to make decision
about access
Policy Engine: cross-references the access request with its predefined
policies, like a rule book
Policy Administrator: is used to establish & manage the access policies, who
gets access to what
