SkarpSkarp

Chapter 2 of 25

Core Security Foundations: CIA Triad, AAA, and Security Controls

Before diving into threats and tools, anchor your understanding in the core models and control types that show up in nearly every Security+ question and real-world security decision.

27 min readen

Step 1: Why CIA, AAA, and Controls Matter (and Where They Show Up on Security+)

The Hidden Pattern

Most Security+ questions secretly ask: what are we protecting (CIA)? who is doing it (AAA)? and how are we controlling it (security controls)?

About This Certification

CompTIA Security+ is a global certification that validates the baseline skills necessary to perform core security functions and pursue an IT security career.

Current Exam Code

SY0-701 is the exam series code for the latest version (V7) of the CompTIA Security+ certification exam. This module is aligned to that version.

Where This Content Appears

CIA, AAA, and controls show up in all five domains: General Security Concepts, Threats, Architecture, Operations, and Program Management and Oversight.

Your Learning Targets

You will master CIA, AAA, the full canonical list of security control types, and how to choose the right control in simple real-world scenarios.

Step 2: The CIA Triad – The Three Big Goals of Security

CIA Components

The CIA triad has three components you must know exactly: confidentiality, integrity, availability.

Confidentiality

Confidentiality: only authorized people, processes, or systems can access the data. Think secrecy and privacy.

Integrity

Integrity: data is accurate, complete, and unaltered except by authorized methods. Think no unauthorized or undetected changes.

Availability

Availability: authorized users can access data and systems when needed. Think uptime, resilience, and performance.

CIA Exam Clues

Prevent eavesdropping → confidentiality. Prevent or detect tampering → integrity. Minimize downtime → availability.

Step 3: AAA – Who Are You, What Can You Do, and What Did You Do?

AAA Components

AAA has three functions you must know exactly: authentication, authorization, accounting.

Authentication

Authentication answers: Who are you? Prove it. It verifies identity using passwords, tokens, biometrics, and more.

Authorization

Authorization answers: Now that I know who you are, what are you allowed to do? It defines and enforces permissions.

Accounting

Accounting answers: What did you do, and when? It covers logging, monitoring, and auditing of user actions.

AAA Exam Traps

Identity verification → authentication. Permission checks → authorization. Logs and audits → accounting, even if the word auditing is used.

Step 4: What Are Security Controls? (And Why Names Get Confusing)

Security Controls Defined

A security control is any safeguard or countermeasure used to reduce risk, enforce policy, or protect confidentiality, integrity, and availability.

Forms of Controls

Controls can be technology (firewall), process (change management), or physical (locks, guards). All are valid security controls.

Two Description Styles

We describe controls as categories (technical, administrative/managerial, physical) and functions (preventive, detective, corrective, etc.).

Canonical List Preview

Security+ also uses a canonical list of security control types that mixes both category-style and function-style labels.

Same Control, Many Labels

A firewall can be technical and preventive. A policy can be managerial (administrative) and directive. Expect overlapping labels.

Step 5: The Canonical Security Control Types – Memorize This List

Canonical List (Memorize)

You must know this list exactly: technical, preventive, managerial, deterrent, operational, detective, physical, corrective, compensating, directive.

Technical & Preventive

Technical: technology-based controls like firewalls and encryption. Preventive: controls that aim to stop incidents before they happen.

Managerial & Deterrent

Managerial: management-level controls like policies and risk assessments. Deterrent: controls that discourage attacks, such as warning banners.

Operational & Detective

Operational: day-to-day processes like backups and incident response. Detective: controls that identify events, such as IDS and log monitoring.

Physical, Corrective, Compensating, Directive

Physical: tangible protections. Corrective: fix damage. Compensating: alternative controls. Directive: guide behavior, like policies and SOPs.

Step 6: Control Categories vs Control Functions – Untangling the Labels

Two Ways to Classify

Controls are described by categories (what kind of thing) and functions (what it does). You must handle both views.

Control Categories

Categories: technical (logical), administrative/managerial, and physical. These describe the nature of the control.

Control Functions

Functions: preventive, detective, corrective, deterrent, compensating, directive. These describe the control's purpose or timing.

One Control, Many Labels

A camera is physical (category), detective and deterrent (functions). A password policy is managerial, directive, and preventive.

Exam Wording Clues

If you see technical/administrative/physical, think categories. If you see prevent/detect/correct, think functions.

Step 7: Mapping Real-World Scenarios to CIA, AAA, and Controls

Scenario 1: VPN with MFA

VPN with MFA and logging: focuses on confidentiality and availability, uses AAA for login, and technical, preventive, and detective controls.

Scenario 1 – Control Mapping

Technical: VPN, MFA, logs. Preventive: MFA blocks unauthorized access. Detective: log monitoring for suspicious VPN activity.

Scenario 2: Data Center Security

Data center with locks, guards, cameras, and warning signs protects CIA via physical, deterrent, detective, and preventive controls.

Scenario 2 – AAA and Controls

Authentication: badges checked. Authorization: only some roles enter. Accounting: visitor and badge logs; cameras record activity.

Scenario 3: Change Management

Change management protects integrity and availability using managerial and operational controls that are preventive and directive.

Step 8: Quick Classification Drill – You Label the Controls

Practice labeling controls. For each item, pause and answer these questions in your head or on paper:

  1. Database encryption at rest
  • a) Which CIA goal is primary?
  • b) Is this technical, administrative/managerial, or physical?
  • c) Which function(s) best fit: preventive, detective, corrective, deterrent, compensating, directive?
  1. Security awareness training about phishing
  • a) Which CIA goal(s) does this indirectly protect?
  • b) Category: technical, administrative/managerial, or physical?
  • c) Function(s)?
  1. File integrity monitoring (FIM) on critical system files
  • a) Which CIA goal is primary?
  • b) Category?
  • c) Function(s)?
  1. Door badge readers with logs of every entry
  • a) Which CIA goals are involved?
  • b) Category?
  • c) Function(s)? Also, where does AAA show up?

---

Suggested Answers (Check Yourself)

  1. Database encryption at rest
  • a) Primarily confidentiality.
  • b) Technical.
  • c) Mostly preventive (prevents reading data if disks are stolen).
  1. Security awareness training
  • a) Helps protect confidentiality, integrity, and availability by reducing user mistakes.
  • b) Administrative/managerial.
  • c) Mainly preventive and directive (teaches users what to do and not do).
  1. File integrity monitoring
  • a) Primarily integrity.
  • b) Technical.
  • c) Mainly detective (alerts on changes); can support corrective actions.
  1. Door badge readers with logs
  • a) Confidentiality, integrity, availability of systems in that room.
  • b) Physical.
  • c) Preventive (blocks unauthorized entry), detective and accounting via logs. AAA: authentication (badge), authorization (who has access), accounting (entry logs).

Step 9: Quiz – CIA and AAA Fundamentals

Check your understanding of CIA and AAA before we move on.

A company implements a system where employees must swipe a badge to enter the building, and the system records each entry with a timestamp. Which AAA function is MOST directly provided by the logging of entries?

  1. authentication
  2. authorization
  3. accounting
  4. availability
Show Answer

Answer: C) accounting

The logging of entries with timestamps is about recording and tracking user actions, which is the accounting function. Authentication is verifying identity (badge swipe), authorization is deciding who is allowed in, and availability is unrelated to the logs.

Step 10: Quiz – Control Types and Categories

Now test your ability to classify controls correctly.

An organization posts a prominent "Authorized Personnel Only" sign and a legal warning banner on its login screen. In terms of security control types, how are these BEST classified?

  1. technical and corrective
  2. managerial and directive
  3. physical and corrective
  4. operational and detective
Show Answer

Answer: B) managerial and directive

Warning signs and banners are created and mandated by management, so they are managerial controls, and they guide behavior, so they are directive controls. They do not directly detect or correct incidents, and they are not technical.

Step 11: Flashcards – Lock In the Key Terms and Lists

Use these flashcards to reinforce the core vocabulary and canonical lists you must recall instantly on exam day.

CIA triad components (in order)
confidentiality, integrity, availability
AAA functions (in order)
authentication, authorization, accounting
Canonical security control types (full list)
technical, preventive, managerial, deterrent, operational, detective, physical, corrective, compensating, directive
Define confidentiality
Ensuring that only authorized people, processes, or systems can access data; protecting secrecy and privacy.
Define integrity
Ensuring data is accurate, complete, and unaltered except by authorized methods; preventing unauthorized or undetected changes.
Define availability
Ensuring authorized users can access data and systems when needed; focusing on uptime, resilience, and performance.
Define authentication
The AAA function that verifies identity and answers the question: Who are you? Prove it.
Define authorization
The AAA function that determines what an authenticated user is allowed to do; what resources and actions are permitted.
Define accounting
The AAA function that records and tracks user actions, typically through logging, monitoring, and auditing.
Control categories vs control functions
Categories: technical, administrative/managerial, physical (what kind of control). Functions: preventive, detective, corrective, deterrent, compensating, directive (what the control does).
Example of a technical, preventive control
A firewall configured to block unauthorized ports and IP addresses.
Example of a managerial, directive control
An information security policy that defines password requirements and acceptable use.
Example of a physical, deterrent control
Visible security cameras and "Authorized Personnel Only" signs at a facility entrance.
Example of a detective control
An intrusion detection system (IDS) that generates alerts on suspicious network traffic.
Example of a compensating control
Extra log review and IP allowlisting when multi-factor authentication cannot be implemented for a legacy system.

Step 12: Putting It All Together and Next Steps in Your Study Path

Core Models Recap

You now know CIA (confidentiality, integrity, availability), AAA (authentication, authorization, accounting), and what security controls are.

Control Types Recap

You memorized the canonical control types: technical, preventive, managerial, deterrent, operational, detective, physical, corrective, compensating, directive.

Categories vs Functions

You can distinguish categories (technical, administrative/managerial, physical) from functions (preventive, detective, corrective, deterrent, compensating, directive).

Applying on the Exam

On questions, ask: Which CIA goal? Which AAA function? Which control type and function best addresses the scenario?

Your Next Skarp Steps

Use the diagnostic, spaced review queue, and next mock exam to practice applying these foundations in richer, real-world style scenarios.

Key Terms

AAA
A model describing how identities and access are managed: authentication, authorization, accounting.
SY0-701
SY0-701 is the exam series code for the latest version (V7) of the CompTIA Security+ certification exam.
CIA triad
A foundational model describing three primary security goals: confidentiality, integrity, availability.
integrity
Ensuring data is accurate, complete, and unaltered except by authorized methods; preventing unauthorized or undetected changes.
accounting
The AAA function that records and tracks user actions, typically through logging, monitoring, and auditing.
availability
Ensuring authorized users can access data and systems when needed; focusing on uptime, resilience, and performance.
authorization
The AAA function that determines what an authenticated user is allowed to do; what resources and actions are permitted.
authentication
The AAA function that verifies identity and answers the question: Who are you? Prove it.
confidentiality
Ensuring that only authorized people, processes, or systems can access data; protecting secrecy and privacy.
physical control
A control that protects the physical environment and assets, such as locks, fences, and guards.
security control
Any safeguard or countermeasure used to reduce risk, enforce policy, or protect confidentiality, integrity, and availability.
CompTIA Security+
CompTIA Security+ is a global certification that validates the baseline skills necessary to perform core security functions and pursue an IT security career.
control functions
Descriptions of what controls do: preventive, detective, corrective, deterrent, compensating, directive.
detective control
A control that identifies that a security incident has occurred or is occurring.
deterrent control
A control that discourages attempts to violate security, such as warning signs or visible cameras.
directive control
A control that guides or constrains behavior, such as policies, standards, and procedures.
technical control
A control implemented through technology, such as firewalls, encryption, or access control lists.
control categories
High-level groupings of controls by nature: technical, administrative/managerial, physical.
corrective control
A control that fixes or limits damage after a security incident.
hybrid environment
A hybrid environment is an enterprise environment that includes a mix of cloud, mobile, Internet of Things (IoT), operational technology (OT), and on-premises resources that must be monitored and secured.
managerial control
A control established by management, such as policies, procedures, and risk assessments; often called administrative.
preventive control
A control that aims to stop security incidents from occurring.
operational control
A control implemented and executed by people as part of day-to-day operations, such as incident response or change management.
compensating control
An alternative control that provides protection when the preferred or primary control is not feasible.
governance, risk, and compliance
Governance, risk, and compliance refers to operating with an awareness of applicable regulations and policies, including principles of governance, risk, and compliance when securing enterprise environments.
security control types (canonical list)
technical, preventive, managerial, deterrent, operational, detective, physical, corrective, compensating, directive.

Finished reading?

Test your understanding with a custom practice exam on this chapter.

Test yourself