MODULE 1
Security Controls Overview
Cybersecurity Fundamentals
// Module Introduction

Security Controls:
Purpose, Types & Categories

Security controls are the safeguards and countermeasures organizations implement to protect the confidentiality, integrity, and availability of their information systems. This module explores how controls are classified, selected, and applied.

Preventive Detective Corrective Administrative Β· Technical Β· Physical
3
Functional Types
3
Implementation Categories
9+
Sections in Module
// Learning Objectives

What You Will Learn

🎯

Core Purpose

Understand why security controls exist and how they support the CIA triad β€” Confidentiality, Integrity, and Availability.

βš™οΈ

Functional Types

Distinguish between Preventive, Detective, and Corrective/Recovery controls and provide examples of each.

πŸ—‚οΈ

Implementation Categories

Classify controls as Administrative, Technical, or Physical and explain how they layer for defense-in-depth.

πŸ“‹

Selection Guidance

Apply a risk-based framework to select and implement appropriate controls for various organizational contexts.

πŸ’‘

How to Use This Lesson

Navigate through each section using the left sidebar. Engage with interactive elements β€” click accordions, answer scenario questions, drag-and-drop controls, and take the final knowledge check. Sections are marked complete as you visit them.

// Section 1

Core Purpose of Security Controls

Security controls exist to protect organizational assets and data from threats, ensure compliance with regulations, and support continuous business operations. They are the foundation of any cybersecurity program.

πŸ”’

Confidentiality

Ensure only authorized users can access sensitive information. Controls prevent data leakage and unauthorized disclosure.

βœ”οΈ

Integrity

Guarantee that data has not been tampered with or altered by unauthorized parties, preserving its accuracy and trustworthiness.

πŸ“‘

Availability

Keep systems and data accessible to authorized users when needed, even under attack or hardware failure.

// Three Dimensions

Primary Objectives, Risk Management & Outcomes

  • Protect assets and data by implementing measures that reduce risks and prevent unauthorized access or modification.
  • Ensure confidentiality, integrity, and availability of information systems through layered defenses and policies.
  • Support compliance and governance goals by enforcing standards, detecting incidents, and enabling recovery processes.
  • Identify, assess, and mitigate risks by applying controls proportionate to threat likelihood and potential impact.
  • Balance control costs and operational needs to maintain business continuity and acceptable risk levels.
  • Prioritize controls based on criticality of assets, regulatory requirements, and threat intelligence.
  • Prevent incidents through proactive measures and reduce attack surface via hardening and least-privilege practices.
  • Detect anomalies and breaches quickly using monitoring, logging, and analytics to enable rapid response.
  • Recover and resume normal operations with backups, redundancy, and tested incident response and continuity plans.
⚠️

Key Principle: Defense-in-Depth

No single control is perfect. Organizations layer multiple controls so that if one fails, others remain to protect assets. This concept β€” defense-in-depth β€” is central to modern cybersecurity architecture.

// Section 2

Types of Security Controls by Function

Controls are grouped by what they do: prevent threats before they occur, detect threats in progress, or correct and recover from incidents after they happen.

πŸ›‘οΈ

Preventive Controls β€” Stop threats before they happen

These controls act as barriers. They are implemented proactively to block unauthorized access, reduce vulnerabilities, and minimize the attack surface before an incident can occur.

πŸ”‘ Access Controls

Mechanisms that restrict who can access systems and data β€” including authentication (who are you?) and authorization (what can you do?).

Examples: MFA, RBAC, password policies, SSO

πŸ”¨ Hardening & Patching

Configuration management practices that remove vulnerabilities and minimize exposed services or features by keeping systems updated and securely configured.

Examples: CIS Benchmarks, patch Tuesday, disabling unused services

🌐 Network Protections

Firewalls, segmentation, and secure gateways that block unauthorized network traffic and limit lateral movement by attackers.

Examples: Firewall rules, VLANs, DMZ, WAF, IPS

πŸ”

Detective Controls β€” Find threats in progress

These controls identify when something suspicious has happened or is happening. They create visibility into the environment so security teams can respond rapidly.

πŸ“‹ Monitoring & Logging

Continuous event collection and aggregation to identify suspicious activity and provide forensic evidence after an incident.

Examples: SIEM, syslog, Windows Event Log, audit trails

🚨 Intrusion Detection

IDS tools analyze traffic or host behavior to flag potential attacks or policy violations in real time or near-real time.

Examples: Snort, Suricata, host-based IDS (HIDS), EDR alerts

πŸ“ˆ Auditing & Assessments

Periodic or automated checks that reveal deviations from baseline security posture and identify compliance gaps.

Examples: Vulnerability scans, penetration tests, compliance audits

πŸ”§

Corrective & Recovery Controls β€” Fix and restore

These controls minimize damage after an incident and restore normal operations as quickly as possible. They are essential for business continuity and resilience.

πŸš‘ Incident Response

Structured procedures to contain, eradicate, and remediate threats while preserving evidence and maintaining communication throughout the process.

Examples: IR playbooks, NIST SP 800-61, containment isolation

🩹 Patch & Remediation

Actions to fix vulnerabilities and misconfigurations discovered through detection activities, preventing repeat exploitation.

Examples: Emergency patching, config remediation, vulnerability closure

πŸ’Ύ Backup & Disaster Recovery

Regular data backups, restore procedures, and failover capabilities to restore operations after incidents β€” including ransomware attacks.

Examples: 3-2-1 backup rule, RTO/RPO planning, hot standby

// Section 3

Categories by Control Implementation Type

While functional types describe what a control does, implementation categories describe how a control is deployed. Controls fall into three categories: Administrative, Technical, and Physical.

πŸ›οΈ Administrative (Managerial) Controls
Policies, procedures, and governance that shape human behavior and organizational security culture
Click to expand β–Ό
  • Policies & Procedures: Documented rules and workflows governing security practices and user behavior across the organization.
  • Training & Awareness: Programs that educate staff on threats, secure procedures, and reporting channels to reduce human risk.
  • Risk Assessments & Governance: Ongoing evaluation of threats, control effectiveness, and alignment with legal/regulatory obligations.
  • Examples: Security policy, acceptable use policy (AUP), annual security awareness training, NIST RMF, ISO 27001 controls.
πŸ’» Technical (Logical) Controls
Technology-based safeguards enforced by hardware, software, and network infrastructure
Click to expand β–Ό
  • Encryption & Cryptography: Algorithms and key management protecting data at rest and in transit from disclosure or tampering.
  • Identity & Access Management: Authentication, SSO, MFA, and role-based access control (RBAC) systems.
  • Endpoint & Network Security: Antivirus, EDR, VPNs, secure proxies, and application-layer protections.
  • Examples: AES-256 encryption, Active Directory, firewall rules, antivirus/EDR, VPN, IDS/IPS, SIEM.
🏒 Physical Controls
Real-world barriers and environmental protections for facilities, hardware, and physical assets
Click to expand β–Ό
  • Facility Access Controls: Locks, badges, guards, and visitor logs preventing unauthorized physical entry to sensitive areas.
  • Environmental Protections: Fire suppression, HVAC, and power redundancy systems protecting hardware from physical threats.
  • Physical Asset Management: Inventory, secure disposal, and asset labeling procedures reducing theft and misuse.
  • Examples: Badge readers, man-traps, security cameras (CCTV), UPS systems, fire suppression, secure document shredding.
// Cross-Reference

Controls by Function Γ— Category Matrix

Any control can be described using BOTH its functional type (what it does) AND its implementation category (how it's deployed).

Control Functional Type Implementation Category
Firewall rulesPreventiveTechnical
Security awareness trainingPreventiveAdministrative
Badge access systemPreventivePhysical
SIEM / log monitoringDetectiveTechnical
Security auditDetectiveAdministrative
Security cameras (CCTV)DetectivePhysical
Backup & restore proceduresCorrective/RecoveryTechnical + Administrative
Incident response planCorrective/RecoveryAdministrative
Emergency power (UPS)Corrective/RecoveryPhysical
// Section 4

Selection & Implementation Guidance

Choosing the right controls requires a structured, risk-based approach. Organizations must match control strength to asset value, align with regulations, and implement using proven practices.

🏷️

Asset Classification

Identify critical systems and data first. Match control strength and priority to the value and sensitivity of each asset.

πŸ—ΊοΈ

Threat Mapping

Align chosen controls with identified threat scenarios and applicable regulations or standards (NIST, ISO, CMMC, HIPAA, PCI-DSS).

🧱

Defense-in-Depth

Combine administrative, technical, and physical controls to create layered protection and reduce single points of failure.

// Best Practices

Implementation Principles

  • Run penetration tests to find gaps in preventive controls before attackers do.
  • Conduct tabletop exercises to validate that incident response procedures work in practice.
  • Perform control effectiveness audits to ensure controls are functioning as designed.
  • Leverage security orchestration and automation (SOAR) to speed response to detected events.
  • Implement patch automation to reduce the window of vulnerability exposure.
  • Use continuous monitoring tools to maintain visibility without relying solely on manual review.
  • Regularly update and tune controls as the threat landscape evolves.
  • Retire outdated controls that no longer address current risks or create operational burden.
  • Review and update documentation, policies, and procedures annually or after significant changes.
// Section 5 β€” Applied Learning

Real-World Scenarios

Explore how security controls are applied in three different organizational contexts. For each scenario, read the situation and answer the interactive question.

πŸͺ

SCENARIO: Small Business β€” Affordable Baseline Controls

A 12-person accounting firm handles sensitive client tax data. They have a limited IT budget and one part-time IT contractor. They have experienced one phishing attack in the past year that resulted in a staff member clicking a malicious link. The owner wants to implement an affordable baseline set of security controls.
Which combination of controls represents the most cost-effective baseline for this firm?
A
Deploy a 24/7 Security Operations Center (SOC) and enterprise SIEM platform
B
Implement MFA, weekly patching, firewall rules, and staff phishing awareness training
C
Deploy a full Zero Trust network architecture with microsegmentation
D
Install antivirus software on all workstations
// Section 6 β€” Interactive Exercise

Classify the Controls

Drag each security control from the left panel and drop it into the correct functional type category. Then check your answers.

// Controls to Classify

πŸ”‘ Multi-Factor Authentication (MFA)
πŸ“‹ SIEM Log Monitoring
πŸ’Ύ Backup & Restore
🌐 Firewall Rules
🚨 Intrusion Detection System (IDS)
πŸš‘ Incident Response Plan

// Drop Zone β€” Functional Types

πŸ›‘οΈ PREVENTIVE Controls
πŸ” DETECTIVE Controls
πŸ”§ CORRECTIVE Controls
// Section 7

Key Terms Glossary

Search for any term covered in this module. Use this as a reference while studying for Security+ or other certification exams.

Security Control
A safeguard or countermeasure used to protect the confidentiality, integrity, and availability of information systems. Controls can be preventive, detective, or corrective in function, and administrative, technical, or physical in implementation.
Preventive Control
A security control designed to stop threats before they occur or prevent unauthorized access from happening. Examples include firewalls, access controls, hardening, and MFA.
Detective Control
A security control that identifies when a security incident has occurred or is occurring. Examples include SIEM systems, IDS, log monitoring, and security audits.
Corrective / Recovery Control
A security control that reduces the impact of a security incident and restores normal operations. Examples include incident response plans, patch remediation, and backup systems.
Administrative (Managerial) Control
Controls implemented through policies, procedures, training, and governance frameworks. They govern human behavior and organizational security culture. Examples: security policies, AUP, security awareness training.
Technical (Logical) Control
Controls implemented through technology β€” hardware, software, or network infrastructure. Examples include encryption, IAM systems, firewalls, antivirus, and VPNs.
Physical Control
Controls that protect the physical environment β€” buildings, hardware, and assets. Examples: locks, badge readers, CCTV, guards, fire suppression, and UPS systems.
Defense-in-Depth
A layered security strategy that combines multiple types of controls so that if one fails, others remain to protect assets. Reduces single points of failure in a security architecture.
CIA Triad
The three core properties of information security: Confidentiality (keeping data private), Integrity (keeping data accurate and unaltered), and Availability (keeping systems and data accessible to authorized users).
Identity and Access Management (IAM)
A framework of policies and technologies for ensuring the right individuals access the right resources at the right time. Includes authentication, MFA, SSO, and RBAC (role-based access control).
SIEM (Security Information and Event Management)
A detective technical control that aggregates and analyzes log data from across an organization's environment to detect threats, generate alerts, and support incident investigation.
Incident Response (IR)
A corrective/recovery control consisting of structured procedures to detect, contain, eradicate, and recover from security incidents. The NIST IR lifecycle includes: Preparation, Detection, Containment, Eradication, Recovery, and Post-Incident Review.
Principle of Least Privilege
A security principle requiring that users, processes, and systems be granted only the minimum access rights necessary to perform their function. Reduces the attack surface and limits damage from compromised accounts.
Hardening
The process of reducing a system's attack surface by removing unnecessary software, disabling unused services, applying secure configurations (e.g., CIS Benchmarks), and keeping systems patched. A preventive technical control.
Risk Assessment
An administrative control process that identifies, analyzes, and evaluates risks to organizational assets. Informs control selection by prioritizing threats based on likelihood and potential impact.
// Section 8 β€” Assessment

Knowledge Check

Test your understanding of security controls with 8 exam-style questions. Choose the best answer for each question.

QUESTION 1 OF 8
Questions Correct