COMPTIA SECURITY 701
Technical Controls: ANS: These use technology to protect assets and control access to systems and data.
Examples include firewalls, encryption, antivirus software, and intrusion detection systems.
Managerial Controls: ANS: These involve strategies, policies, and procedures that manage the overall
security of an organization. Examples include risk assessments, security training, and auditing practices.
Operational Controls: ANS: These are implemented to improve the day-to-day operations and security
of the organization. They include change management, data backup procedures, and incident response
processes.
Physical Controls: ANS: These restrict physical access to organizational resources like buildings, rooms,
and hardware. Examples include locks, biometric scanners, security guards, and fence barriers.
Preventive Controls: ANS: Intended to prevent security incidents before they occur. Examples include
locks, authentication mechanisms, and network access controls.
Deterrent Controls: ANS: Aim to discourage security violations. Examples are signage, policies like
'termination for violations', and visible surveillance cameras.
Detective Controls: Designed to identify and detect security incidents as they occur. Examples include
motion detectors, intrusion detection systems, and log monitoring. ANS: Designed to identify and
detect security incidents as they occur. Examples include motion detectors, intrusion detection systems,
and log monitoring.
Corrective Controls: ANS: Focus on repairing or restoring systems after a security incident has occurred.
Examples are patches, system restores, and intrusion repair protocols.
,Compensating Controls: ANS: Provide alternative security measures when existing controls are deemed
insufficient. They compensate for weaknesses and include multiple-factor authentication where single-
factor fails.
Directive Controls: ANS: These controls are intended to direct, confine, or control the actions of
subjects to force or encourage compliance with security policies. Examples include security awareness
training and posted notifications.
Confidentiality: ANS: Ensuring that data is accessible only to those authorized to have access.
Integrity: ANS: Safeguarding the accuracy and completeness of information and processing methods.
Availability: ANS: Ensuring that authorized users have access to information and associated assets when
required.
Non-repudiation ANS: Ensures that a party in a transaction cannot deny the authenticity of their
signature on a document or a message that they originated, thereby ensuring accountability.
Authenticating People: ANS: Verifying the identity of users, typically through passwords, biometrics, or
tokens.
Authenticating Systems ANS: : Confirming the identity of systems or machines, often using certificates
or pre-shared keys.
Authorization Models ANS: : Methods for granting or denying user rights and permissions to access
resources.
Accounting: ANS: Tracking user activities and recording security events to provide an audit trail.
,Gap Analysis ANS: A method of assessing the differences between the current security measures and
the desired state, identifying areas of improvement to achieve security objectives.
Zero Trust ANS: Is a security model that operates on the principle of "never trust, always verify,"
requiring strict identity verification for every user and device trying to access resources within a
network, regardless of their location. This approach employs least privilege access and
microsegmentation to minimize the attack surface and enhance security by continuously validating the
security posture of all entities interacting with the system.
Threat Scope Reduction: ANS: is the process of minimizing potential attack vectors in an organization by
reducing the number of exploitable systems, services, or privileges. This helps lower the risk of
successful cyberattacks through techniques like patching, network segmentation, and enforcing least
privilege.
Adaptive Identity: ANS: refers to a dynamic security approach that adjusts user authentication and
access control based on real-time risk factors, such as behavior patterns, location, or device. It
strengthens security by continuously verifying identity during access.
Policy-driven Access Control: ANS: Access decisions are made dynamically based on a comprehensive
evaluation of trust states.
Policy Administrator/Engine ANS: : Central points for managing and enforcing security policies.
Implicit Trust Zones ANS: refer to areas within a network where systems, devices, or users are
automatically trusted without additional verification. These zones lack strict access controls, assuming
entities within the zone are safe, which can increase security risks if not properly managed.
Subject/System: ANS: the Subject refers to the entity (such as a user or process) that requests access to
resources, while the System (or Object) refers to the resource being accessed, such as files, databases,
or applications. Access control mechanisms manage the interaction between the subject and system to
ensure security.
, Policy Enforcement Point: ANS: is a functional component that enforces access control policies in secure
environments. It ensures that the security policies and rules are applied when a subject tries to access
an object (such as files or systems).
Bollards: ANS: Short vertical posts designed to prevent vehicle intrusion into secure areas.
Access Control Vestibule: ANS: A secured entryway that typically includes two sets of doors and an
authentication system to control individual access.
Fencing: ANS: Barriers used to secure an area by preventing unauthorized physical entries.
Video Surveillance: ANS: Cameras and monitoring equipment used to oversee premises and record
activities for security review and enforcement.
Security Guard: ANS: Personnel tasked with physical security duties including monitoring surveillance,
patrolling property, and responding to incidents.
Access Badge: ANS: Identification cards used to grant access to restricted areas through electronic
reader systems.
Lighting: ANS: Essential for enhancing visibility and deterring unauthorized access, especially in
vulnerable and dark areas around a property.
Infrared: ANS: Detect unauthorized movement based on body heat.
Pressure ANS: Trigger alarms or alerts when pressure changes are detected, typically used on floors or
mats.
Microwave: ANS: Uses microwave pulses to detect movement through changes in frequency.
Technical Controls: ANS: These use technology to protect assets and control access to systems and data.
Examples include firewalls, encryption, antivirus software, and intrusion detection systems.
Managerial Controls: ANS: These involve strategies, policies, and procedures that manage the overall
security of an organization. Examples include risk assessments, security training, and auditing practices.
Operational Controls: ANS: These are implemented to improve the day-to-day operations and security
of the organization. They include change management, data backup procedures, and incident response
processes.
Physical Controls: ANS: These restrict physical access to organizational resources like buildings, rooms,
and hardware. Examples include locks, biometric scanners, security guards, and fence barriers.
Preventive Controls: ANS: Intended to prevent security incidents before they occur. Examples include
locks, authentication mechanisms, and network access controls.
Deterrent Controls: ANS: Aim to discourage security violations. Examples are signage, policies like
'termination for violations', and visible surveillance cameras.
Detective Controls: Designed to identify and detect security incidents as they occur. Examples include
motion detectors, intrusion detection systems, and log monitoring. ANS: Designed to identify and
detect security incidents as they occur. Examples include motion detectors, intrusion detection systems,
and log monitoring.
Corrective Controls: ANS: Focus on repairing or restoring systems after a security incident has occurred.
Examples are patches, system restores, and intrusion repair protocols.
,Compensating Controls: ANS: Provide alternative security measures when existing controls are deemed
insufficient. They compensate for weaknesses and include multiple-factor authentication where single-
factor fails.
Directive Controls: ANS: These controls are intended to direct, confine, or control the actions of
subjects to force or encourage compliance with security policies. Examples include security awareness
training and posted notifications.
Confidentiality: ANS: Ensuring that data is accessible only to those authorized to have access.
Integrity: ANS: Safeguarding the accuracy and completeness of information and processing methods.
Availability: ANS: Ensuring that authorized users have access to information and associated assets when
required.
Non-repudiation ANS: Ensures that a party in a transaction cannot deny the authenticity of their
signature on a document or a message that they originated, thereby ensuring accountability.
Authenticating People: ANS: Verifying the identity of users, typically through passwords, biometrics, or
tokens.
Authenticating Systems ANS: : Confirming the identity of systems or machines, often using certificates
or pre-shared keys.
Authorization Models ANS: : Methods for granting or denying user rights and permissions to access
resources.
Accounting: ANS: Tracking user activities and recording security events to provide an audit trail.
,Gap Analysis ANS: A method of assessing the differences between the current security measures and
the desired state, identifying areas of improvement to achieve security objectives.
Zero Trust ANS: Is a security model that operates on the principle of "never trust, always verify,"
requiring strict identity verification for every user and device trying to access resources within a
network, regardless of their location. This approach employs least privilege access and
microsegmentation to minimize the attack surface and enhance security by continuously validating the
security posture of all entities interacting with the system.
Threat Scope Reduction: ANS: is the process of minimizing potential attack vectors in an organization by
reducing the number of exploitable systems, services, or privileges. This helps lower the risk of
successful cyberattacks through techniques like patching, network segmentation, and enforcing least
privilege.
Adaptive Identity: ANS: refers to a dynamic security approach that adjusts user authentication and
access control based on real-time risk factors, such as behavior patterns, location, or device. It
strengthens security by continuously verifying identity during access.
Policy-driven Access Control: ANS: Access decisions are made dynamically based on a comprehensive
evaluation of trust states.
Policy Administrator/Engine ANS: : Central points for managing and enforcing security policies.
Implicit Trust Zones ANS: refer to areas within a network where systems, devices, or users are
automatically trusted without additional verification. These zones lack strict access controls, assuming
entities within the zone are safe, which can increase security risks if not properly managed.
Subject/System: ANS: the Subject refers to the entity (such as a user or process) that requests access to
resources, while the System (or Object) refers to the resource being accessed, such as files, databases,
or applications. Access control mechanisms manage the interaction between the subject and system to
ensure security.
, Policy Enforcement Point: ANS: is a functional component that enforces access control policies in secure
environments. It ensures that the security policies and rules are applied when a subject tries to access
an object (such as files or systems).
Bollards: ANS: Short vertical posts designed to prevent vehicle intrusion into secure areas.
Access Control Vestibule: ANS: A secured entryway that typically includes two sets of doors and an
authentication system to control individual access.
Fencing: ANS: Barriers used to secure an area by preventing unauthorized physical entries.
Video Surveillance: ANS: Cameras and monitoring equipment used to oversee premises and record
activities for security review and enforcement.
Security Guard: ANS: Personnel tasked with physical security duties including monitoring surveillance,
patrolling property, and responding to incidents.
Access Badge: ANS: Identification cards used to grant access to restricted areas through electronic
reader systems.
Lighting: ANS: Essential for enhancing visibility and deterring unauthorized access, especially in
vulnerable and dark areas around a property.
Infrared: ANS: Detect unauthorized movement based on body heat.
Pressure ANS: Trigger alarms or alerts when pressure changes are detected, typically used on floors or
mats.
Microwave: ANS: Uses microwave pulses to detect movement through changes in frequency.
