Compare and contrast various types of security controls
Security controls are the mechanisms you deploy to protect assets. The exam tests two classification axes — by category (who/what implements it) and by function (what it does). You need to be able to look at a control and classify it on both axes simultaneously.
Categories
Technical Controls
Implemented by technology. Hardware or software mechanisms that enforce security without human intervention at the point of execution.
- Firewalls, IDSIntrusion Detection System — Monitors and alerts on suspicious activity (passive)/IPSIntrusion Prevention System — Detects and blocks suspicious activity (inline), encryption, access control lists (ACLs)
- Antivirus/EDREndpoint Detection and Response — Monitors endpoints for threats and enables response, DLPData Loss Prevention — Prevents unauthorized data exfiltration agents, smart cards, biometric scanners
- Key trait: Operates automatically once configured
Managerial (Administrative) Controls
Policies, procedures, and oversight activities that define how security is governed.
- Acceptable Use Policies (AUPAcceptable Use Policy — Policy defining permitted use of org resources), security awareness training, risk assessments
- Background checks, separation of duties, incident response plans
- Change management processes, data classification standards
- Key trait: Defines what should happen — enforced by humans or by technical controls downstream
Operational Controls
Day-to-day procedures executed by people (or automation on behalf of people) to maintain security posture.
- Patch management cycles, log review, backup verification
- Guard patrols, media handling procedures, configuration management
- Key trait: The ongoing execution of managerial policy — where rubber meets road
Physical Controls
Tangible barriers that prevent or detect unauthorized physical access.
- Fences, bollards, mantrap/vestibule, locks, safes
- CCTVClosed-Circuit Television — Video surveillance for physical security, motion sensors, security guards, lighting
- Cable locks, server rack locks, Faraday cages
- Key trait: Controls you can touch
Functions
Preventive
Stops an incident before it occurs. The first line of defense.
- Firewall rules blocking unauthorized traffic (technical)
- Mandatory security training before system access (managerial)
- Locked doors requiring badge access (physical)
Detective
Identifies that an incident has occurred or is in progress. Doesn’t stop it — alerts on it.
- IDSIntrusion Detection System — Monitors and alerts on suspicious activity (passive) alerts on suspicious traffic patterns (technical)
- Log analysis revealing anomalous login patterns (operational)
- Motion sensors triggering alarms (physical)
Corrective
Remediates the impact after an incident is detected. Restores normal operations.
- Restoring from backup after ransomware (technical/operational)
- Patching a vulnerability after exploitation (technical)
- Rebuilding a compromised system from a known-good image (operational)
Deterrent
Discourages threat actors from attempting an attack. Psychological barrier.
- Warning banners on login screens (technical)
- Visible security cameras (physical)
- Published acceptable use policies with stated consequences (managerial)
Compensating
Alternative controls when the primary control is impractical or too expensive. Must provide equivalent protection.
- Network segmentation when patching a legacy system isn’t possible (technical)
- Increased monitoring when you can’t enforce MFAMulti-Factor Authentication — Requiring multiple authentication factors on a legacy app (operational)
- Exam trap: Compensating controls aren’t inferior — they’re alternatives that meet the same security objective through a different path
Directive
Guides behavior through mandates and instructions. Tells people what to do.
- “All passwords must be 16+ characters” (managerial)
- “Visitors must be escorted at all times” (operational)
- Signage indicating restricted areas (physical)
Cross-Classification
The exam loves asking you to classify a single control on both axes:
| Control | Category | Function |
|---|---|---|
| Firewall rule blocking port 23 | Technical | Preventive |
| Security camera | Physical | Detective + Deterrent |
| Mandatory awareness training | Managerial | Preventive + Directive |
| Backup restoration procedure | Operational | Corrective |
| ”No tailgating” sign | Physical | Deterrent + Directive |
| Network segmentation for unpatched system | Technical | Compensating |
Exam tip: A single control often serves multiple functions. CCTVClosed-Circuit Television — Video surveillance for physical security is both detective (records incidents) and deterrent (visible cameras discourage attacks). The exam will ask you to pick the primary function.
Physical Controls as Functions
Physical controls aren’t just a category — they also serve control functions. CompTIA tests whether you can classify a physical control by what it does:
| Physical Control | Primary Function | Secondary Function |
|---|---|---|
| Deadbolt lock | Preventive | — |
| Security camera (visible) | Deterrent | Detective |
| Security camera (hidden) | Detective | — |
| Motion sensor + alarm | Detective | Deterrent (if audible) |
| Bollards | Preventive | Deterrent |
| Security guard | Preventive | Detective + Deterrent |
| Mantrap/vestibule | Preventive | Detective |
| Lighting | Deterrent | Detective (enables cameras) |
| Fence with razor wire | Deterrent | Preventive |
| Badge reader access log | Detective | — |
Picking the PRIMARY Function
CompTIA’s signature move: “What is the PRIMARY function of [control]?” When a control serves multiple functions, use this decision logic:
- Does it stop the action from happening? → Preventive
- Does it identify that something happened? → Detective
- Does it discourage the attempt? → Deterrent
- Does it fix things after the fact? → Corrective
- Does it tell people what to do? → Directive
The tiebreaker: What was the control designed to do? A visible security camera’s primary purpose is to deter — the recording is a secondary benefit. A hidden camera’s primary purpose is to detect — it can’t deter what people don’t know exists.
”Which Control Would BEST…” Scenarios
CompTIA asks “which control would BEST [achieve goal]?” frequently. The answer depends on the goal:
| Goal | Best Control Type | Example |
|---|---|---|
| Prove a control is working | Detective | Audit logs, monitoring, review |
| Stop an attack in progress | Preventive (technical) | Firewall rule, IPSIntrusion Prevention System — Detects and blocks suspicious activity (inline), access control |
| Discourage insider misuse | Deterrent + Directive | Warning banner + AUPAcceptable Use Policy — Policy defining permitted use of org resources with consequences |
| Recover from a failure | Corrective | Backup restoration, failover |
| Address an unpatchable system | Compensating | Network segmentation + enhanced monitoring |
| Verify policy compliance | Detective (operational) | Access review, configuration audit |
Regulatory Control Terminology
Different frameworks use different terms for the same concepts. CompTIA expects you to recognize the mappings:
HIPAA Safeguards
HIPAAHealth Insurance Portability and Accountability Act — US healthcare data protection law uses “safeguards” instead of “controls”:
- Administrative safeguards: Risk analysis, workforce training, contingency planning, security officer designation → maps to Managerial controls
- Technical safeguards: Access controls, audit controls, integrity controls, transmission security → maps to Technical controls
- Physical safeguards: Facility access, workstation security, device/media controls → maps to Physical controls
NIST 800-53 Control Families
NISTNational Institute of Standards and Technology — US standards body, publishes CSF and SP 800 series organizes controls into 20 families. You don’t need to memorize all 20, but know the structure:
- Families include: Access Control (AC), Audit (AU), Configuration Management (CM), Incident Response (IRIncident Response — Structured approach to handling security incidents), Risk Assessment (RARegistration Authority — Verifies identity before CA issues certificate), System & Communications Protection (SC)
- Controls are selected based on system categorization: Low, Moderate, High impact baseline
- Higher impact = more controls required from each family
Key Point
The categories (technical, managerial, operational, physical) and functions (preventive, detective, etc.) are universal — they apply regardless of which regulatory framework you’re working within. The framework just determines which specific controls are required.
Offensive Context
An attacker’s first move is mapping which controls exist and which functions are missing. If an org has strong preventive controls but weak detective controls, the attacker knows they need to avoid triggering prevention — but once past it, they can operate freely because nobody’s watching. Understanding control gaps as an attacker makes you better at identifying what’s missing as a defender.