2.5. Reflection Checkpoint

Key Takeaways

Before proceeding to Phase 3, ensure you can:

• Classify any control by both category (technical/managerial/operational/physical) AND type (preventive/detective/corrective/deterrent/compensating/directive)
• Identify which CIA property a scenario targets and which controls address it
• Diagram Zero Trust architecture with both planes and name each component
• Map the change management process from impact analysis through backout plan
• Distinguish symmetric from asymmetric encryption use cases
• Explain PKI trust chains from root CA through end-entity certificate
• Differentiate hashing, salting, key stretching, tokenization, and data masking

Connecting Forward

Phase 3 shifts from defensive concepts to offensive reality: who attacks you, how they get in, what they exploit, and how you detect them. You'll meet threat actors from nation-states to script kiddies, trace attack vectors from phishing emails to supply chain compromises, and catalog vulnerabilities from SQL injection to zero-days. The controls you learned here are what you deploy — Phase 3 teaches you why each exists by showing you the threats they counter.

Self-Check Questions

1. A company implements biometric scanners at the front door, encrypts all laptops, requires annual security awareness training, and has a written acceptable use policy. Name the category and primary type of each control.

2. An organization's database records were silently modified over three months. Which CIA property was violated? Which detective controls might have caught this? Which cryptographic technique could have prevented undetected modification?

3. A junior administrator pushes a firewall rule change directly to production during business hours without testing, breaking payment processing for 45 minutes. Which change management elements were missing?