2.1. Security Controls
š” First Principle: Every security breach traces back to a control that was missing, misconfigured, or insufficient. Security controls are the building blocks of every defense strategy ā they exist to reduce risk. But a pile of controls isn't a security program any more than a pile of bricks is a building. The first step to designing a coherent defense is classifying controls along two independent dimensions: category (who implements it?) and type (what does it achieve?).
What breaks without proper classification? Compliance audits fail because you can't demonstrate layered coverage. Security architectures develop blind spots ā an organization might stack five firewalls (all technical/preventive) while having zero detective controls and no incident response procedures. Imagine securing a home: you might install deadbolts (physical/preventive) and alarms (physical/detective), but if you never lock the deadbolt (operational gap) and have no insurance policy (managerial gap), you're exposed despite spending on technology.
The exam frequently presents a control and asks you to classify it on both dimensions simultaneously. A security camera is physical AND detective. An acceptable use policy is managerial AND directive. Master both axes, and you'll answer these questions instantly.
