MyCertStack logoMyCertStack

    CompTIA - Security+ Study Guide

    1: 1.0 General Security Concepts

    This chapter establishes the foundational vocabulary and frameworks that every later study area builds on: how security controls are classified, what the CIA triad and AAA model really require, how Zero Trust changes the access model, why change management is itself a security control, and how cryptographic primitives compose into PKI, certificate trust, and data protection at every storage layer. The chapter is taught as a decision-maker reference: capability tables, comparison matrices, and decision trees replace step-by-step labs so the reader learns to pick the correct control or primitive for a stated business constraint, which is exactly how the exam frames its scenario items.

    Learning Objectives

    By the end of this chapter, you will be able to:

    • Compare and contrast various types of security controls.
    • Summarize fundamental security concepts.
    • Explain the importance of change management processes and the impact to security.
    • Explain the importance of using appropriate cryptographic solutions.

    Executive Summary

    • Security controls split along two independent axes: a CATEGORY axis (technical, managerial, operational, physical) describing HOW the control is implemented, and a TYPE axis (preventive, deterrent, detective, corrective, compensating, directive) describing WHAT the control does in the kill chain. The exam loves to swap a category for a type and ask you to pick the misclassification.
    • The CIA triad plus non-repudiation plus AAA define the goals; Zero Trust defines the architecture; physical security and deception technologies round out defense in depth. Every control decision must map back to a stated CIA goal and a defined subject.
    • Change management is a security control, not paperwork. Unapproved or undocumented changes are how segmentation, hardening, and least-privilege quietly erode. Approval workflow, backout plan, maintenance window, version control, and updated diagrams are non-negotiable for any production change.
    • Cryptography is a small toolbox with strict rules: symmetric primitives for bulk data, asymmetric primitives for key exchange and signatures, hashing for integrity, salting plus key stretching for password storage, and PKI to bind identities to public keys. The wrong primitive for the stated goal is the single most common exam trap in the cryptography area.

    Assumptions

    • The reader has the recommended background: networking fundamentals at the level of CompTIA Network+, plus around two years of systems or security administration exposure.
    • All references to product features, exam configuration, and exam-objective coverage reflect the published objectives for the active version of this exam (SY0-701, Objectives Version 5.0). Verify any field that affects your sit date directly against the official exam objectives PDF before booking.
    • Terminology follows the official exam objectives word for word. Where the field uses several names for the same concept (for example, certificate revocation list and CRL, or access control vestibule and mantrap), this chapter introduces both forms and then uses the official short form for the remainder of the chapter.

    Sections in this chapter

    1. Free
    2. Free with account
    3. Free with account
    4. Free with account
    5. Free with account