Mark as Complete

1.1 Security Controls

Security controls are safeguards or countermeasures designed to protect the confidentiality, integrity, and availability of information systems.

Control Categories

Category	Description	Examples
Technical	Implemented through technology	Firewalls, encryption, access control lists, IDS/IPS
Administrative	Policies and procedures	Security policies, training, background checks, risk assessment
Operational	Day-to-day security operations	Backup procedures, incident response, security awareness training
Physical	Tangible protections	Locks, guards, surveillance cameras, mantraps

Control Functions

Function	Purpose	Examples
Preventive	Stop incidents from occurring	Firewalls, encryption, access controls, security training
Detective	Identify and monitor incidents	IDS, CCTV, audit logs, security monitoring
Corrective	Remediate after incidents	Backup restoration, patches, incident response procedures
Deterrent	Discourage potential attackers	Warning signs, security guards, visible cameras
Compensating	Alternative when primary controls fail	Manual monitoring, temporary controls, workarounds
Directive	Direct or limit actions	Security policies, acceptable use policies, procedures

Operational Controls (Detailed)

Operational controls focus on day-to-day security operations and procedures:

• Security Awareness Training: Regular employee security education
• Configuration Management: Standardized system configurations
• Change Management: Controlled system modifications
• Incident Response: Procedures for handling security incidents
• Backup and Recovery: Regular data backups and restoration testing
• Media Protection: Secure handling of storage media
• Physical Security Operations: Guard patrols, access logs review
• Vulnerability Management: Regular scanning and patching

Defense in Depth Strategy

Layered security approach using multiple controls:

• Perimeter: Firewalls, network segmentation, physical barriers
• Network: IDS/IPS, network monitoring, VLANs
• Host: Antivirus, host firewalls, system hardening
• Application: Secure coding, input validation, WAF
• Data: Encryption, access controls, data classification
• User: Security training, strong authentication, least privilege

Control Implementation Considerations

• Cost vs. Benefit: Balance security investment with risk reduction
• Usability: Controls should not unduly hinder productivity
• Maintenance: Regular updates and monitoring required
• Compliance: Meet regulatory and legal requirements
• Scalability: Controls should grow with the organization

Mark as Complete

1.2 CIA Triad & AAA Framework

The CIA Triad represents the three core principles of information security, while AAA provides the framework for secure access control.

The CIA Triad

Principle	Definition	Security Controls	Threats
Confidentiality	Protection from unauthorized disclosure	Encryption, access controls, data classification	Eavesdropping, data theft, social engineering
Integrity	Protection from unauthorized modification	Hashing, digital signatures, version control	Data tampering, unauthorized changes
Availability	Ensuring authorized access when needed	Redundancy, backups, fault tolerance	DoS attacks, system failures, disasters

AAA Framework

Component	Purpose	Methods	Technologies
Authentication	Verify identity of users/systems	Passwords, biometrics, tokens, certificates	RADIUS, TACACS+, Kerberos, OAuth
Authorization	Determine access rights	RBAC, ABAC, MAC, DAC	Access control lists, security policies
Accounting	Track user activities	Logging, auditing, monitoring	SIEM, audit trails, session recording

Additional Security Concepts

• Non-Repudiation: Inability to deny actions
  • Methods: Digital signatures, audit trails
  • Purpose: Legal evidence, accountability
• Least Privilege: Grant minimum necessary access
• Separation of Duties: Divide critical tasks among multiple people
• Defense in Depth: Multiple layers of security controls
• Due Care: Reasonable precautions to protect assets
• Due Diligence: Ongoing activities to maintain security

Authentication Factors

• Something You Know: Passwords, PINs, security questions
• Something You Have: Smart cards, tokens, mobile devices
• Something You Are: Biometrics (fingerprint, iris, face)
• Somewhere You Are: Location-based (GPS, IP geolocation)
• Something You Do: Behavioral biometrics (typing patterns)

Mark as Complete

1.3 Governance, Risk & Compliance

Governance establishes the security framework, risk management identifies and treats security risks, and compliance ensures adherence to legal and regulatory requirements.

Security Governance Components

Document Type	Purpose	Characteristics	Examples
Policies	High-level management intent	Broad, strategic, mandatory	Information Security Policy, Acceptable Use Policy
Standards	Specific mandatory requirements	Detailed, technical, compulsory	Password standards, encryption standards
Procedures	Step-by-step instructions	Specific, actionable, repeatable	Incident response procedures, backup procedures
Guidelines	Recommended best practices	Advisory, flexible, suggested	Security configuration guides

Key Regulations & Standards

Regulation/Standard	Scope	Key Requirements	Applicability
GDPR	Data privacy and protection	Data subject rights, privacy by design	EU citizens' data worldwide
HIPAA	Healthcare information	PHI protection, security safeguards	Healthcare organizations in US
PCI DSS	Payment card data	Cardholder data protection	Organizations handling payment cards
SOX	Financial reporting	Internal controls, financial accuracy	Publicly traded companies in US
FISMA	Federal information systems	Security controls, continuous monitoring	US federal agencies

Risk Management Framework

• Risk Identification: Asset inventory, threat analysis, vulnerability assessment
• Risk Assessment: Qualitative (High/Medium/Low) or Quantitative (ALE = SLE × ARO)
• Risk Treatment:
  • Mitigate: Implement controls
  • Transfer: Insurance, outsourcing
  • Avoid: Discontinue risky activities
  • Accept: Document and monitor

Security Frameworks

• NIST Cybersecurity Framework: Identify, Protect, Detect, Respond, Recover
• ISO 27001/27002: International information security standards
• COBIT: Governance and management of enterprise IT
• CIS Controls: 20 critical security controls

Mark as Complete

1.4 Access Control Models & Methods

Access control systems regulate who or what can view or use resources in a computing environment, implementing the principle of least privilege.

Access Control Models

Model	Control Basis	Implementation	Use Cases
DAC (Discretionary)	Data owner decides	Access control lists (ACLs)	File systems, small organizations
MAC (Mandatory)	System-enforced policies	Security labels, clearance levels	Military, government systems
RBAC (Role-Based)	Job functions	Role assignments, permissions	Enterprise environments
ABAC (Attribute-Based)	Multiple attributes	Policies evaluating attributes	Dynamic environments, cloud
Rule-Based	Global rules	If-then rules applied to all users	Firewalls, network access

Access Control Methods

Method	Description	Examples	Security Level
Something You Know	Knowledge-based authentication	Passwords, PINs, security questions	Low
Something You Have	Physical token possession	Smart cards, tokens, mobile devices	Medium
Something You Are	Biometric characteristics	Fingerprint, iris scan, facial recognition	High
Somewhere You Are	Location-based authentication	GPS location, IP address geolocation	Contextual

Key Access Control Principles

• Least Privilege: Users get minimum access needed
• Separation of Duties: Critical tasks split among multiple people
• Need to Know: Access only to information necessary for job
• Implicit Deny: Default deny unless explicitly permitted
• Job Rotation: Regular rotation of sensitive duties
• Mandatory Vacation: Required time off for fraud detection

Access Control Implementation

• Access Control Lists (ACLs): List of permissions attached to objects
• Group Policies: Centralized management of user/computer settings
• Time-based Restrictions: Access limited to specific time periods
• Geographic Restrictions: Access limited to specific locations

Mark as Complete

1.5 Cryptographic Concepts & PKI

Cryptography provides the foundation for secure communications, data protection, and digital trust through mathematical algorithms and protocols.

Cryptographic Algorithms

Algorithm Type	Purpose	Key Features	Common Examples
Symmetric Encryption	Confidentiality	Single shared key, fast performance	AES, 3DES, Blowfish, RC4
Asymmetric Encryption	Key exchange, digital signatures	Public/private key pairs, slower	RSA, ECC, Diffie-Hellman
Hash Functions	Integrity verification	One-way, fixed output size	SHA-256, MD5, SHA-3
Digital Signatures	Authentication, non-repudiation	Hash + asymmetric encryption	DSA, ECDSA, RSA signatures

Public Key Infrastructure (PKI)

Component	Role	Function	Examples
Certificate Authority (CA)	Trusted entity	Issues and manages digital certificates	DigiCert, Let's Encrypt, internal CA
Registration Authority (RA)	Verification agent	Verifies certificate requests	Part of CA or separate service
Digital Certificate	Digital credential	Binds public key to identity	X.509 certificates
CRL/OCSP	Revocation services	Check certificate validity	Certificate Revocation List, Online Status

Cryptographic Use Cases

• Data at Rest: Full disk encryption, database encryption
• Data in Transit: TLS/SSL, VPNs, SSH
• Authentication: Digital certificates, challenge-response
• Integrity: Hash verification, digital signatures
• Non-Repudiation: Digital signatures with timestamps

Key Management Best Practices

• Key Generation: Use cryptographically secure random generators
• Key Storage: Hardware Security Modules (HSMs), secure key stores
• Key Distribution: Secure channels, key exchange protocols
• Key Rotation: Regular key changes, key expiration policies
• Key Destruction: Secure key deletion, cryptographic erasure

Common Cryptographic Protocols

• TLS/SSL: Secure web communications (HTTPS)
• IPsec: Secure network communications
• SSH: Secure remote access
• PGP/GPG: Email encryption
• Kerberos: Network authentication protocol