Control Selection
Choosing appropriate security controls based on risk assessment, cost considerations, and operational requirements. Covers defense in depth implementation, control types, and balancing security with business needs.
Understanding Control Selection
Security control selection is the art of choosing the right controls for the right risks at the right cost. Not every threat requires the most expensive solution, and not every control is appropriate for every environment.
Control selection factors: • Risk — What threats are we mitigating? • Cost — What can we afford? • Operations — What's practical to implement? • Compliance — What's required by regulations? • Effectiveness — How well does it address the risk?
The 2020 SolarWinds breach showed that even sophisticated organizations can have control gaps. Despite robust perimeter security, the supply chain was inadequately protected—highlighting that control selection must address all attack vectors, not just the obvious ones.
Effective security requires thoughtful control selection, not just more controls.
Why This Matters for the Exam
Control selection is heavily tested on SY0-701 because it connects security theory to practice. Questions cover when to use specific controls and how to balance competing requirements.
Understanding control selection helps with security architecture, risk management, and compliance. Selecting wrong controls wastes resources while leaving vulnerabilities.
The exam tests practical decision-making about which controls fit specific scenarios.
Deep Dive
What Are the Types of Security Controls?
By Function:
| Type | Purpose | Examples |
|---|---|---|
| Preventive | Stop attacks from occurring | Firewall, encryption, access control |
| Detective | Identify attacks in progress | IDS, logs, SIEM |
| Corrective | Mitigate damage after attack | Backup restore, patch management |
| Deterrent | Discourage attackers | Warning banners, cameras |
| Compensating | Alternative when primary control not feasible | Logging when encryption impossible |
By Implementation:
| Type | Description | Examples |
|---|---|---|
| Technical | Technology-based | Firewalls, antivirus, encryption |
| Administrative | Policies and procedures | Security training, background checks |
| Physical | Tangible barriers | Locks, guards, fences |
Control Type Matrix:
| Function | Technical | Administrative | Physical |
|---|---|---|---|
| Preventive | Firewall | Hiring policy | Lock |
| Detective | IDS | Audit review | Camera |
| Corrective | Patch mgmt | Incident response | Fire suppression |
What Is Defense in Depth?
Defense in depth implements multiple layers of controls so that failure of one doesn't compromise security.
Defense in Depth Layers:
Layer 1: Perimeter ├── Firewall ├── IPS └── Email gateway Layer 2: Network ├── Segmentation ├── VLANs └── Internal firewalls Layer 3: Endpoint ├── Antivirus ├── Host firewall └── EDR Layer 4: Application ├── WAF ├── Input validation └── Authentication Layer 5: Data ├── Encryption ├── DLP └── Access controls
Why Layers Matter:
Single control: If firewall fails → Compromised Defense in depth: Firewall bypassed → IPS detects IPS bypassed → Network segmentation contains Segment breached → Endpoint protection blocks Endpoint compromised → Data encrypted
How Do You Select Controls Based on Risk?
Risk-Based Selection Process:
| Step | Activity |
|---|---|
| 1. Identify assets | What needs protection? |
| 2. Assess threats | What could harm assets? |
| 3. Identify vulnerabilities | What weaknesses exist? |
| 4. Calculate risk | Likelihood × Impact |
| 5. Select controls | Match controls to risks |
| 6. Evaluate residual risk | Is remaining risk acceptable? |
Control Selection Criteria:
| Factor | Consideration |
|---|---|
| Risk reduction | How much does it reduce risk? |
| Cost | Purchase, implementation, maintenance |
| Operational impact | Does it interfere with business? |
| Complexity | Can staff manage it? |
| Compliance | Does it satisfy requirements? |
Risk vs Control Cost:
If control cost > risk impact → Don't implement If control cost < risk impact → Implement Example: Risk: $50,000 potential loss Control A: $10,000 (reduces risk 80%) → Good ROI Control B: $100,000 (reduces risk 90%) → Excessive
What Are Compensating Controls?
Compensating controls are alternative measures when primary controls aren't feasible.
When to Use Compensating Controls:
- •Technical limitations prevent primary control
- •Cost prohibitive for primary control
- •Operational requirements conflict
- •Temporary measure during implementation
Compensating Control Examples:
| Primary Control | Issue | Compensating Control |
|---|---|---|
| Full disk encryption | Legacy system incompatible | Physical security + monitoring |
| MFA | System doesn't support | IP restrictions + enhanced logging |
| Network segmentation | Flat network required | Enhanced monitoring + strict ACLs |
| Patching | Critical system can't be patched | IPS signatures + isolation |
Compensating Control Requirements:
- •Must provide equivalent protection
- •Addresses the same risk
- •Documented and approved
- •Reviewed periodically
How Do You Balance Security with Operations?
Security vs Usability Trade-offs:
| Control | Security Benefit | Operational Impact |
|---|---|---|
| Complex passwords | Stronger auth | User frustration |
| MFA | Additional verification | Extra login step |
| DLP | Data protection | False positive blocks |
| Full tunnel VPN | Traffic inspection | Performance impact |
Finding Balance:
Too strict: Users bypass controls Too loose: Inadequate protection Goal: Maximum security with minimum friction
Strategies for Balance:
- •Risk-based approach (more controls for sensitive areas)
- •User experience testing
- •Gradual implementation
- •Feedback mechanisms
- •Regular review and adjustment
How Do Compliance Requirements Affect Control Selection?
Compliance-Driven Controls:
| Regulation | Required Controls |
|---|---|
| PCI DSS | Firewall, encryption, access control |
| HIPAA | Access controls, audit logs, encryption |
| SOX | Segregation of duties, audit trails |
| GDPR | Data protection, consent mechanisms |
Compliance vs Risk-Based:
Risk-based: Select controls based on actual risk
Compliance: Select controls required by regulation
Best practice: Use compliance as baseline,
add risk-based controls as neededHow CompTIA Tests This
Example Analysis
Scenario: A hospital needs to protect patient records (PHI) on a legacy system that cannot support modern encryption. Budget is limited, and the system is critical for patient care—it cannot be taken offline for upgrades.
Analysis - Control Selection:
Constraints:
| Constraint | Implication |
|---|---|
| Legacy system | Modern encryption impossible |
| Limited budget | Can't buy everything |
| Critical system | Must maintain availability |
| HIPAA required | Compliance mandatory |
Primary Control (Encryption) Not Feasible:
Cannot implement because: - Legacy OS doesn't support - System can't be upgraded - Can't take offline
Compensating Control Strategy:
| Control Type | Control | Purpose |
|---|---|---|
| Physical | Locked server room | Prevent physical access |
| Technical | Network segmentation | Isolate from threats |
| Technical | Enhanced monitoring | Detect unauthorized access |
| Technical | Strict ACLs | Limit network access |
| Administrative | Access logging | Audit trail |
| Administrative | Staff training | Awareness of risks |
Defense in Depth Implementation:
Layer 1: Physical - Biometric access to server room - Surveillance cameras Layer 2: Network - Dedicated VLAN for legacy system - Firewall isolating segment - IPS monitoring traffic Layer 3: Access Control - Minimum necessary access - Role-based permissions - Strong authentication Layer 4: Monitoring - Comprehensive logging - Real-time alerting - Daily log review
Documentation:
Compensating Control Justification: - Primary control: Full disk encryption - Why not feasible: Legacy system incompatibility - Compensating controls: [list above] - Risk assessment: Residual risk acceptable - Review date: Quarterly - Exit strategy: System replacement within 18 months
Key insight: When primary controls aren't feasible, compensating controls must provide equivalent protection through alternative means. Document the justification, ensure controls address the same risk, and plan for eventual implementation of the primary control.
Key Terms
Common Mistakes
Exam Tips
Memory Trick
Control Types - "PDC DET" (Protect, Detect, Correct, Deter):
- •Preventive = Prevents attacks (stops before happening)
- •Detective = Detects attacks (finds ongoing)
- •Corrective = Corrects damage (fixes after)
- •Deterrent = Discourages attackers
- •Compensating = Compensates for missing controls
Defense in Depth Memory: "Don't put all eggs in one basket, don't put all security in one firewall"
Think of a castle: - Moat (perimeter security) - Walls (network controls) - Guards (endpoint protection) - Inner keep (application security) - Treasure vault (data encryption)
Control Selection Formula: "If the Control Costs more than the Risk, it's Ridiculous" Control Cost > Risk Impact = Don't implement
Compensating Control Rule: "Can't do Plan A? Plan B must protect just as well" Same risk addressed, different method
Test Your Knowledge
Q1.A company cannot implement encryption on a legacy system. What should they use instead?
Q2.What security principle implements multiple layers of controls so that if one fails, others still protect?
Q3.What type of control would an IDS (Intrusion Detection System) be classified as?
Want more practice with instant AI feedback?
Continue Learning
Ready for the Exam?
See exactly where you stand on this concept and 182 others.
99% pass rate · Pass guarantee