Over 10 years we help companies reach their financial and branding goals. Engitech is a values-driven technology agency dedicated.

Gallery

Contacts

411 University St, Seattle, USA

engitech@oceanthemes.net

+1 -800-456-478-23

Twitter Facebook-f Pinterest-p Instagram
1.1 Domain 1 · General Security Concepts

Security Controls

Compare and contrast various types of security controls

Concept
2
Textbook
3
Reference
4
Real Scenario
5
Hard Choice
6
Common Traps
7
Exam Signal
The Concept

The Security+ exam tests security controls along two dimensions. The first is Categoryhow the control is implemented: Technical, Managerial, Operational, or Physical. The second is Typewhat the control does: Preventive, Deterrent, Detective, Corrective, Compensating, or Directive.

Every control can be classified on both axes simultaneously. A firewall is Technical + Preventive. A security awareness poster is Managerial + Deterrent. A security guard is Physical + Detective (or Operational + Deterrent, depending on context). The exam expects you to map any given control to both its category and its type.

Control Categories (HOW it's implemented):

  • Technical — implemented through technology. Firewalls, encryption, IDS/IPS, access control lists, antivirus software.
  • Managerial — administrative actions, policies, and procedures. Security policies, risk assessments, security awareness training plans, acceptable use policies.
  • Operational — implemented through day-to-day processes carried out by people. Security guards checking badges, log reviews, change management procedures, incident response drills.
  • Physical — tangible barriers you can touch. Locked doors, fences, bollards, CCTV cameras, mantraps/vestibules, cable locks.

Control Types (WHAT it does):

  • Preventive — stops an incident before it happens. Firewall rules, door locks, encryption, access controls.
  • Deterrent — discourages an attacker from attempting. Warning signs, login banners, security cameras (visible), lighting.
  • Detective — identifies that an incident occurred. IDS, audit logs, motion sensors, security cameras (recording).
  • Corrective — fixes damage after an incident. Backups/restore, patching, antivirus quarantine, fire suppression.
  • Compensating — an alternative when the primary control isn't feasible. Using encryption when you can't segment a network; using MFA when you can't enforce complex passwords on a legacy system.
  • Directive — directs or mandates behavior. Acceptable use policies, compliance requirements, posted procedures, regulatory mandates.

Protecting a server room — all four categories in action:

  • Technical — biometric scanner on the door (authenticates identity electronically)
  • Managerial — access policy defining who is authorized (documentation/governance)
  • Operational — security guard checks IDs at the entrance (human process)
  • Physical — reinforced locked door with deadbolt (tangible barrier)
CategoryDescriptionExamples
Technical Implemented through technology Firewall, encryption, IDS/IPS
Managerial Administrative policies and procedures Security policy, risk assessment, training plan
Operational Day-to-day human processes Guard patrols, log reviews, incident drills
Physical Tangible barriers Locked doors, fences, bollards, CCTV
TypeWhat It DoesExample
Preventive Stops incidents before they happen Firewall, door lock, encryption
Deterrent Discourages attackers from attempting Warning sign, login banner, visible camera
Detective Identifies that an incident occurred IDS, audit log, motion sensor
Corrective Fixes damage after an incident Backup restore, patch, fire suppression
Compensating Alternative when primary control isn't feasible Encryption instead of network segmentation
Directive Mandates or directs behavior AUP, compliance mandate, posted procedure
Key Takeaway

Category = HOW it's implemented. Type = WHAT it does. The exam tests BOTH together. When a question describes a control, classify it on both axes before choosing your answer.

An unauthorized visitor was discovered in the server room. Management wants a fix by end of week. The IT Manager and Security Admin have different approaches.

Scenario
Server Room Breach
Mid-size company · 300 employees · Server room accessed
IT Manager"Let's put up a 'Restricted Area — Authorized Personnel Only' sign on the door. That should keep people out and it's cheap."
Security Admin"A sign is a deterrent — it discourages people, but it doesn't stop anyone. We need a biometric scanner on the door. That's a preventive control — it physically blocks unauthorized access."
IT Manager"Budget is tight. Can't we just have someone check badges?"
Security Admin"That's an operational control — it depends on a human being present and consistent. If the guard steps away, the control fails. The biometric lock is technical + preventive — it works 24/7."
Compensating Control

Layered approach: In practice, you combine controls. The sign (deterrent) + badge reader (preventive) + camera (detective) + guard (operational) together are stronger than any single control. But if budget allows only one, pick the control type that matches the risk — for a server room, prevention matters most.

Real Talk — Career Context

In the real world, budget always wins round one. You'll propose biometrics and get approved for a keypad. That's normal. The exam, however, tests ideal security thinking — pick the best control for the scenario, not the cheapest.

On the exam: If the question asks "which control BEST addresses the risk," choose the one that most directly matches the needed type (preventive for stopping access, detective for catching intruders).

After the unauthorized access incident, you have budget for exactly one new control on the server room. The server room contains your company's primary database servers with customer PII. Which do you recommend?

Option A
CCTV Cameras (Physical + Detective)

You'll capture footage of anyone entering. You'll see the intruder — but you won't stop them from accessing the servers.

Option B
Biometric Door Lock (Technical + Preventive)

Only authorized fingerprints can open the door. Unauthorized individuals are physically blocked from entering.

Option B is correct — prevention over detection for high-value assets

Option B: A server room with customer PII requires a preventive control. A biometric door lock physically stops unauthorized access before it happens. Detection (cameras) tells you about a breach after the fact — but the damage (data theft, hardware tampering) is already done.

Option A's kernel of truth: CCTV has value — it provides evidence for investigations and acts as a deterrent. In an ideal world, you'd have both. But when forced to choose, preventing the incident is always better than documenting it.

On the exam: the answer depends on context. For a server room with PII, prevention matters more than detection. But a parking lot might prioritize detective controls (cameras) because prevention (fencing the entire lot) may not be feasible.

Deterrent vs. Preventive
A "No Trespassing" sign doesn't stop anyone — it's a deterrent. A locked door stops people — it's preventive. The test: does the control physically or technically block the action? If yes, preventive. If it just discourages, it's deterrent. A login banner warning of prosecution? Deterrent. An account lockout after 5 failed attempts? Preventive.
Why it's tempting: Both aim to "keep people out." But one relies on psychology, the other on enforcement.
Compensating vs. Corrective
Compensating is an alternative when the primary control isn't feasible — "we can't do X, so we do Y instead." Corrective fixes damage after an incident — "something broke, now we fix it." Example: can't upgrade a legacy system to support modern auth? Add network segmentation as a compensating control. Server was compromised? Restore from backup as a corrective control.
Why it's tempting: Both feel like "backup plans." But compensating replaces a control you can't implement; corrective repairs after failure.
Operational vs. Physical
A security guard is an operational control — it depends on a human performing an action. A locked door is a physical control — it's a tangible barrier that works without human intervention. The distinction: operational = requires people to execute consistently; physical = a passive barrier that exists regardless of staffing.
Why it's tempting: A guard standing at a physical door feels "physical." But the guard is the process (operational); the door is the barrier (physical).
Exam Signal

When you see a control in a question, classify it on BOTH axes before answering. The exam loves combining category + type in the answer choices. "A firewall is which type of control?" — if the choices mix categories and types, pick the one that matches what the question asks. Read carefully: are they asking about category (how) or type (what)? A firewall is Technical (category) AND Preventive (type). The wrong answer will be "Physical" or "Corrective."

Quick Check — End of 1.1
An organization implements an acceptable use policy that all employees must sign. What control CATEGORY and TYPE does this represent?
  • A Technical / Preventive
  • B Managerial / Directive
  • C Operational / Detective
  • D Physical / Deterrent

Correct: B. An acceptable use policy is a management document (Managerial category) that tells employees what they must and must not do (Directive type). It doesn't technically block anything (not preventive), doesn't detect violations (not detective), and isn't a physical barrier. It directs behavior through policy — that's Managerial + Directive.

Related Topics
→ 1.2 Fundamental Security Concepts → 1.3 Change Management
← Previous ← Domain 1 Hub Next: 1.2 Fundamental Concepts →
Disclaimer: This content is provided for educational and exam preparation purposes only. It is not official CompTIA content, is not endorsed by CompTIA, and does not guarantee exam success. All practice questions are original and based on published exam objectives. Always refer to the official CompTIA Security+ Exam Objectives as your primary reference.