domain 1

Security Control Categories

Technical, managerial, operational, and physical controls

Technical Control

Uses technology to protect systems such as firewalls and encryption

Managerial Control

Administrative and policy-based security decisions

Operational Control

Human-based processes such as training and procedures

Physical Control

Protects facilities and hardware using locks, guards, and barriers

Preventive Control

Stops security incidents before they occur

Deterrent Control

Discourages attackers

Detective Control

Identifies and records security events

Corrective Control

Fixes systems after an incident

Compensating Control

Alternative control when primary control is not possible

Directive Control

Guides behavior through policies and procedures

Confidentiality

Prevents unauthorized access to data

Integrity

Prevents unauthorized modification of data

Availability

Ensures systems and data are accessible when needed

Non-repudiation

Ensures actions cannot be denied

AAA

Authentication, authorization, and accounting

Authentication

Verifying identity

Authorization

Determining allowed actions

Accounting

Logging and tracking user activity

Authenticating People

Verifying human users

Authenticating Systems

Verifying devices or services

Discretionary Access Control (DAC)

Data owner decides access permissions

Mandatory Access Control (MAC)

Central authority enforces access rules

Role-Based Access Control (RBAC)

Access based on job role

Rule-Based Access Control

Access based on predefined rules

Attribute-Based Access Control (ABAC)

Access based on attributes like user, device, or location

Gap Analysis

Comparison of current security posture to desired state

Zero Trust

Never trust always verify

Control Plane

Makes access decisions in zero trust architecture

Policy Engine

Evaluates access requests

Policy Administrator

Communicates access decisions to enforcement points

Adaptive Identity

Adjusts access based on risk

Threat Scope Reduction

Limits lateral movement in a network

Policy-Driven Access Control

Access enforced by defined policies

Data Plane

Enforces access decisions

Policy Enforcement Point

Allows or denies access based on policy

Implicit Trust Zones

Areas where trust is assumed

Subject/System

Entity requesting access

Bollards

Physical barriers that stop vehicles

Access Control Vestibule

Prevents tailgating

Fencing

Defines and protects perimeters

Video Surveillance

Monitors and records activity

Security Guard

Human deterrence and response

Access Badge

Provides identity-based physical access

Lighting

Improves visibility and deters attackers

Infrared Sensor

Detects heat or motion

Pressure Sensor

Detects weight or force

Microwave Sensor

Detects motion through signal disruption

Ultrasonic Sensor

Detects motion using sound waves

Honeypot

Fake system used to attract attackers

Honeynet

Group of honeypots in a network

Honeyfile

Fake file that triggers alerts when accessed

Honeytoken

Fake data that alerts when used

Deception Technology Purpose

Early detection and attacker analysis

Public Key Infrastructure (PKI)

Framework that manages keys and certificates

Public Key

Shared key used in asymmetric encryption

Private Key

Secret key used in asymmetric encryption

Key Escrow

Third party storage of encryption keys

Symmetric Encryption

Same key used to encrypt and decrypt data

Asymmetric Encryption

Uses public and private key pairs

Key Exchange

Secure method of sharing encryption keys

Encryption Algorithm

Mathematical method used to encrypt data

Key Length

Determines encryption strength

Transport Encryption

Protects data in transit

Full Disk Encryption

Encrypts an entire drive

Partition Encryption

Encrypts a disk partition

Volume Encryption

Encrypts a logical volume

File Encryption

Encrypts individual files

Database Encryption

Encrypts database contents

Record Encryption

Encrypts individual records

Trusted Platform Module (TPM)

Hardware chip that securely stores keys

Hardware Security Module (HSM)

Dedicated device for cryptographic operations

Key Management System

Manages key creation storage and rotation

Secure Enclave

Isolated secure memory area

Steganography

Hiding data within other data

Tokenization

Replacing sensitive data with non-sensitive tokens

Data Masking

Obscures sensitive data

Hashing

One-way function for data integrity

Salting

Adds randomness to hashes

Key Stretching

Makes brute force attacks harder

Digital Signature

Verifies sender and message integrity

Blockchain

Distributed tamper-resistant ledger

Open Public Ledger

Blockchain visible to all participants

Certificate Authority (CA)

Trusted entity that issues certificates

Certificate Revocation List (CRL)

List of revoked certificates

Online Certificate Status Protocol (OCSP)

Real-time certificate status checking

Self-Signed Certificate

Certificate signed by itself

Third-Party Certificate

Certificate issued by a trusted CA

Root of Trust

Trusted starting point for verification

Certificate Signing Request (CSR)

Request to generate a certificate

Wildcard Certificate

Secures multiple subdomains

Change Management

Process for controlling system changes

Approval

Process that authorizes changes

Ownership

Accountability for a change

Stakeholders

Individuals affected by a change

Impact Analysis

Evaluates effects of a change

Test Results

Verify change functionality and security

Backout Plan

Steps to undo a failed change

Maintenance Window

Approved time for system changes

Standard Operating Procedure (SOP)

Step-by-step approved process