August 22, 2025 • 26 mins
Diving into the foundations of cybersecurity certification, Professor JRod delivers an insightful exploration of CompTIA Security+ Chapter 1, revealing why this certification might actually be more approachable than many believe. Unlike many entry-level IT courses, Security+ builds upon concepts from A+ and Network+, creating a natural progression for those following CompTIA's certification path. For career-changers considering jumping straight to Security+, this episode provides valuable perspective on the assumed knowledge and preparation needed.
The heart of this episode focuses on security controls – the safeguards and countermeasures organizations implement to protect their information systems. Professor JRod methodically breaks down the five functional categories: preventive controls that stop incidents before they occur, detective controls that identify security breaches, corrective controls that remediate problems, deterrent controls that discourage inappropriate behavior, and compensating controls that provide alternatives when primary controls aren't feasible. He also highlights the often-overlooked sixth category: directive controls that guide and influence secure behavior through policies and procedures.
Beyond technical concepts, Professor J-Rod emphasizes the organizational structures that support effective security implementation. From the strategic oversight of the CISO to the hands-on work of security engineers and analysts, each role contributes uniquely to the protection of organizational assets. Perhaps most importantly, he stresses that communication skills form the foundation of successful IT security work – a lesson learned early in his career that continues to shape his approach to teaching. The episode concludes with practical application through scenario-based questions that reinforce key concepts, preparing listeners for both certification exams and real-world security challenges.
Looking to boost your cybersecurity knowledge and prepare for Security+ certification? Follow Professor J-Rod on TikTok for visual explanations of these concepts and join us next time as we continue our exploration of CompTIA Security+ with Chapter 2.
If you want to help me with my research please e-mail me.
Professorjrod@gmail.com
If you want to join my question/answer zoom class e-mail me at
Professorjrod@gmail.com
Art By Sarah/Desmond
Music by Joakim Karud
Little chacha Productions
Juan Rodriguez can be reached at
TikTok @ProfessorJrod
ProfessorJRod@gmail.com
@Prof_JRod
Instagram ProfessorJRod
Mark as Played
Transcript
Episode Transcript
Available transcripts are automatically generated. Complete accuracy is not guaranteed.
Speaker 1 (00:28):
And and welcome to TechnologyTap.
I'm Professor J-Rod.
In this episode we're going totalk about more.
Security Plus, chapter 1,welcome back.
(00:58):
So one of the reasons why Idecided to start with Security
Plus and not with A+, because Ithink Security plus is a little
bit different from all the otherexams.
I actually think out of thetrifecta, um, as far as easy,
order is a plus, of course,security plus, I think, is
(01:20):
second and network plus I thinkit's actually harder.
I think security plus if youknow it's a lot of definitions
and if you know the definitions,you you get the answer plus I I
think I find it easier isbecause if you but it's easier
in a sense, but if you take itin the order right, if you take
(01:40):
a, uh, a plus, network plus andsecurity+, by the time you get
to Security+ you're going tofind that it wasn't as hard as
Network+, I believe, because alot of the information that you
get from A+ and Network+ it'seither it's already in Security+
or it's assumed that you knowit.
So those of you who want totake a certification exam for IT
(02:06):
and want to jump straight intoSecurity Plus, I'm telling you
I've only seen one guy out examthat it's.
It's.
It makes it a lot easier if youknow yourself.
So if you take an A plus andEdward plus, this exam is a lot
(02:32):
easier, rather than coming infrom the cold.
I used to work for someone.
He's actually pretty famous onYouTube and you know LinkedIn
and all that stuff famous onYouTube and LinkedIn and all
that stuff and I used to teachclasses for him and I would tell
him the people who sign up forSecurity Plus, what do I do?
(02:55):
Because a lot of them don'tseem to know what they're doing.
He would say well, the class, Ithink, was like from 10 to 6.
So he goes at 1 o'clock, talkto them and see if they want,
you know, if they find it toohard, then he says I can always
switch them to the A-plus class.
He was really, really goodabout that and I would tell you
know, sometimes at 1 o'clock Iwould grab a couple of students
(03:17):
and I would say, hey, I thinkthis class is a little bit too
hard for you.
Why don't you go to the A-plusclass and start from there?
Because you know a lot of thesepeople.
They want to change theircareers right and they get
recommendations.
I remember one guy who was likewell, my brother-in-law told me
to take this class but hedidn't know anything about
computers.
And you know it's like adifferent language right by the
time you get to security plus.
(03:38):
If you don't know anythingabout IT, they're not going to
teach you.
You know about hardware.
They're not going to teach youthe port numbers.
That's not on this exam.
You should already know that bythe time that you're here.
That's the assumption that theymade, that CompTIA makes so.
But I think it's a lot easierif you've gone through the first
two.
(03:58):
It makes it a lot easier.
And I find this one to be a lotof definitions.
So if you know, you know, ifyou know the definitions you,
you know the answer.
All right, so we're doing uh,chapter one.
So we're part two.
We're going to talk aboutsecurity control configuration
uh categories.
Security controls are safeguardsor countermeasures used to
(04:20):
reduce risk and protectinformation systems.
They are categorized based ontheir function, implementation,
type and objectives Controlfunctions there are five
functional categories ofsecurity controls.
They are preventive, detective,corrective, deterrent and
(04:40):
compensating.
And as we go down, I'll giveyou like examples of each
Preventive stops an incidentfrom occurring.
Detective identify and alertwhen incidents occur.
Corrective remediates orrestores after an incident.
Deterrent discourage attacksthrough fear or awareness.
(05:03):
And compensating alternativecontrol when the primary control
is not feasible.
Control types by implementationthese are how the controls are
implemented the administrative,technical and physical.
The administrative is sometimescalled managerial Policies,
procedures, trainings and riskassessments.
Technical enforced by hardware,software, or sometimes known as
(05:29):
logical and physical tangibleprotections.
So examples of controls bycategory Preventive is firewalls
, access control, encryption.
Detective is IDS, ips, cctvv,audit logs, corrective patch
management, backups.
Deterrent security awarenessposters, security awareness
(05:52):
posters and guards.
Compensating manual review withautomated control is missing.
And a better example that islike using mfa when biometrics
is not, it's not working, allright, you compensating.
So security functions aregrouped by the functional
(06:12):
purpose, what they're designedto do when information security
system.
So preventive control the goalfor preventive controls to stop
security incidents before theyhappen.
So what do we use?
We use use firewalls, acls,security policy, user
authentication, encryption,antivirus, physical locks and
secure doors.
Detective controls their goalis to identify security
(06:36):
incidents when they occur andthey use intrusion detection
system, security information andevent management, audit logs
and monitoring, surveillancecameras, file integrity
monitoring, motion detectors.
Corrective controls the goal isto fix or restore systems after
a security incident has happened.
(06:58):
Example patch management,antivirus quarantine, backup or
recovery, incident responseprocedures, system re-imaging,
reboot script or automatedrepairs, deterrent controls.
The goal is to discourageattackers or inappropriate
behavior through warning andawareness.
Example warning banners right,you get those like all this you
(07:22):
know through emails and you getthem.
Like if you log into somebodyelse's system.
Right, if you log into theIRSgov, you get a warning saying
that this is a governmentwebsite.
Right, that's the kind ofwarning banner.
They're talking about Securityawareness training, which is
important for everybody,surveillance signs when you walk
in some place, legal and HRpolicies, and then visual
(07:45):
security measures, guards andcameras.
Compensating control Go issubstitute for primary control.
That is not feasible or hasfailed.
Example, like I gave youmulti-factor authentication when
biometric logging isunavailable, manual review
processes in place of automatedscanning, network segmentation
(08:07):
if encryption is not yetimplemented, and jump box use
instead of direct administrationaccess.
There is what they call a sixthtype of security control that is
often overlooked, and it'scalled directive control.
Directive controls are designedto guide, influence or
(08:28):
encourage secure behavior.
They don't prevent or detectthreats directly, but establish
expectations and providedirection on how users and
systems should behave.
They are typically policy-basedor behavioral and form the
foundation of broader security.
The purpose of directivecontrol is to promote desired
security behavior, establish asecurity mindset across an
(08:50):
organization, lay the groundworkfor other controls and often
pair with administrativecontrols.
Examples of directive controlsis acceptable use policy, code
of conduct, security trainingprograms, posters and reminders,
management directives andstandard operating procedures.
(09:12):
So directive controls areproactive and behavioral.
They rely on policy awarenessand leadership.
They help enforce the securityculture over organizations.
Now we're gonna talk aboutinformation security roles and
responsibilities.
In any organization, protectinginformation assets require
(09:34):
clearly defined roles andresponsibilities.
These roles help ensureaccountability, compliance and
effective risk management acrosstechnical and non-technical
teams, Start off with the chiefinformation security officer.
They define overall securitystrategy and vision, reports to
executive leadership, cio, ceoor board, oversee risk
(09:55):
management, compliance andincident response and align
security with business goals.
Next we have the informationsecurity manager manages
security staff and day-to-dayoperations, coordinates
incidents response and auditsand monitors compliance with
whatever standard you're usingright, nist, hipaa, ferpa, right
(10:18):
Security analysis.
They analyze, logs, alerts.
They monitor system SEMI andIDS IPS systems.
Investigates incidents andsupports incidents response,
conducts vulnerabilityassessments and report findings.
Security Engineer they designsecure networks and system
(10:40):
architecture.
They configure firewalls, vpn,ids, ips and access control.
They implement encryption andendpoint protection.
They work on secure developmentlifecycle.
Then you have your systemadministrator IT staff
Implements technical securitycontrols, patches systems and
maintains access control,supports backup and disaster
(11:05):
recovery processes, followssecurity procedures and enforced
policies.
Next you have your data owner.
Data owner determines dataclassification and access level,
improves access requests anddata sharing, ensures compliance
with legal and businessrequirements.
Data custodian maintains andprotects data on behalf of the
owner, backs up data, appliesencryption, maintains logs and
(11:29):
ensures data integrity andavailability.
End user follows securitypolicies, completes security
awareness training, reportssuspicious activity or incident
and uses the system in aresponsible or secure manner.
And then you have your incidentresponse team responses to
security incidents, perform rootcause analysis and containment,
(11:52):
coordinates with legal, pr andlaw enforcement as needed,
documents incidents for future,prevention and audits.
Right, so there you have it.
You have your CISO, securitymanager, security analyst,
security engineer, system admin,it staff, data owner, data
custodian, end user, incidentresponse team, system admin and
(12:15):
IT staff.
They're together, if you'retaking notes.
Information securitycompetencies refers to the
skills, knowledge and abilitiesrequired to effectively protect
an organization's data systemsand networks.
These competencies spantechnical, managerial and
behavioral domains that areessential for building a robust
(12:38):
cybersecurity workforce.
Core competency domains One istechnical competencies these
involve hand-on skills andtechnical knowledge to implement
and manage security systems.
Right skills and technicalknowledge to implement and
manage security systems you needto know cryptology, network
security, endpoint security,cloud security, identity access
management.
(12:58):
Managerial, strategiccompetencies these involve
planning, oversight, complianceand aligning security with
business needs.
Skill areas risk managementpolicy development, business
continuity, vendor riskmanagement policy development,
business continuity, vendor riskmanagement.
Then you have behavioral softcompetencies.
These are essential forteamwork, communications, ethics
(13:19):
and leadership in a securityrole Communication skills,
ethical decision making,analytical thinking, continuous
learning, collaboration andteamwork and attention to detail
.
So these are a lot of thethings I kind of try to teach in
my classes.
I always tell my students thatthe overall umbrella of IT is
(13:42):
communications.
Right, you know it's part ofthe communication network, it.
It falls under that umbrella ofcommunications and you have to
learn how to be a goodcommunicator.
If you cannot be a goodcommunicator, it's not going to
work.
And one of my, my first realjob that I got as an adult uh,
(14:05):
my old boss, um, he drilled thatinto me so much that I still
carry that to this day, like hejust would say just constantly
that oh, you got to communicate,communicate, communicate.
And he, and he would tell meyou know, if you don't
understand something, I'd ratherexplain it to you five times
(14:27):
than explain it to you Once youwalk away.
You don't understand and you doit wrong.
So he says if you, once youwalk away, you don't understand
and you do it wrong.
So he says if you, if he goes,I would never yell at you If I,
if you tell me, if I explainsomething to you and you come
back and you say I didn'tunderstand that, can you explain
it again?
Because I want you to do itright the first time and I want
you to walk away knowing that Iunderstand what he wants me to
(14:50):
do.
So I always appreciate that forhim, probably more now than I
did when I worked there.
I was a kid, so you know whatdid I know so, but I appreciate
a lot of the stuff that he toldme.
Unfortunately, he passed, butyou know, I still remember him.
All right, how do you buildthese competencies?
(15:10):
You take certification exams,lab and simulations, training
and boot camps, mentorship andinternship and continuous
education.
Let's see key informationsecurity responsibilities.
Of course, everybody in IT orsecurity has to know at least
(15:30):
some level of this riskassessments, access control,
user privilege, ordering logs,et cetera, et cetera.
Next, we have informationsecurity business units.
In a modern organization,infosec is not the
responsibility of a single team.
It spans multiple businessunits that collaborate to
protect systems, data andoperations.
(15:50):
Each unit plays a unique rolein enforcing confidentiality,
integrity and availabilityacross the enterprise.
First is we're going to talkabout information security.
They manage all securitytechnologies and policies.
They're responsible for riskmanagement, incident response,
security operations,vulnerability assessments,
(16:11):
penetration testing, testing,security policies, framework
compliance oversight.
Next, we have IT networkoperations.
Their core functions maintainnetwork technology
infrastructure and they'reresponsible for implementing and
managing security controls,patch management system,
hardening, backup and recoveryprocedures.
Then we have compliance legaland audit Core function ensure
(16:34):
regulatory and legal adherenceResponsibilities.
They interpret laws like HIPAA,gdpr, pci, dss and SOC.
They manage security audits,ensure documentation and they
address data breaches from alegal standpoint.
Human resources core functionsmanage employees' life cycle and
conduct responsibilities.
(16:55):
Enforce security-relatedpolicies, coordinate security
training and awareness programs,handle insider threat and
investigations.
In partnership with InfotechFinance, their core functions is
budgeting and procurement,responsible for funding security
tools and personnel, managevendor risk and financial fraud
prevention and align investmentwith security priorities.
(17:19):
Executive leadership, theC-suite or the board the core
function is strategic oversight.
Responsibilities is to set thetone for security culture,
approve security budgets andframework and assess enterprise
risk and support complianceprograms.
Next is the business continuityteam.
(17:40):
Core responsibility is makesure that they do whatever they
have to do to keep the businessup and running.
Responsibilities is develop andtest business continuity and
recovery plans, coordinate withIT and InfoSec during outages or
incidents, ensuremission-critical services can be
restored quickly.
Next is the training andawareness unit.
(18:02):
Core function is fostersecurity culture and they're
responsible for develop userawareness programs, communicate
incidents, procedures and policychanges and coordinate
simulations.
And there's a lot ofcross-functioning collaboration.
Right for incidents response,you need the infotech team, it,
(18:24):
legal, hr, communication.
For risk management, you needinfosec, executive compliance
and finance.
For security, you need InfoSec,executive compliance and
finance.
For security, you need HRtraining, infosec and
communications.
And for vendor risk management,you need procurement, legal and
InfoSec.
So how they work together theycontinue monitoring and
(18:47):
detecting, they develop securecode development, response to
cyber attacks and the root causeanalysis, recovery.
They all work as a team.
So this is very important thatyou have some kind of strategy
(19:08):
or hierarchy to deal with andbreak up your stuff into teams.
And these are not all like ITpeople, right?
Hr is not IT.
Sometimes, compliance is not IT.
Obviously, legal is not IT.
So it's more than just financeis not IT, right, it's more than
(19:28):
just IT people, when you haveto think of these kind of teams
that you're building or you'reputting together, so they don't
necessarily have to beIT-centric.
All right, now that we've gonethrough it, let's go over some
(19:49):
questions, right?
Um, security control questions.
So he's going to be the firstone and I'll put these on tiktok
.
That way, you can.
You can.
Some people are visual people,so I'll put it on tiktok.
It's at professor jrod, that'sj-r-o-d and you gotta.
You know, professorp-r-o-f-e-s-s-o-r, j-r-o-d.
(20:09):
And you got to.
You know, professorP-R-O-F-E-S-S-O-R, j-r-o-d.
Look for that on TikTok and youwill find me there with the
same questions.
All right, number one a companyrequires all employees to attend
annual cybersecurity awarenesstraining.
Which type of security controlsdoes this represent?
A technical and preventive.
(20:31):
B administrative and deterrent.
C administrative and preventive.
D physical and detective.
Company requires employees toattend annual cyber security
awareness training.
Which type of security controls.
Does this represent a technicaland preventive, b
administrative and deterrent, cadministrative and preventive, d
.
D physical and detective?
(20:52):
Give you five seconds to thinkabout it and the answer is C
administrative and preventive.
Right, the administrative sideis again, a company requires all
employees to take annualcybersecurity training.
So on the administrative side,they plan all that and it's to
prevent people from clicking onstuff that they shouldn't be
(21:14):
clicking on right.
Next, preventive versusdetective An IDS intrusion
detection system is deployed ina data center to monitor and
alert on suspicious networktraffic.
What type of control is this?
A Technical and preventive, bTechnical and detective, c
Administrative and corrective.
(21:36):
D Physical and deterrent.
Again, an IDS is deployed in adata center to monitor and alert
on suspicious network traffic.
What type of control is this?
A Technical and preventive, bTechnical and detective, c this
a technical and preventive.
B the technical and detective.
C administrative and corrective.
D physical and deterrent.
(21:57):
I'll give you a couple ofseconds to think about it and
the answer is what do you think?
The answer is guys, those ofyou who are those of you who are
smart out there the answer istechnical and detective.
Right, that's number two.
Number three after a malwareoutbreak and organizations use
(22:23):
known organizations using knowncleanup backups to restore
effective systems.
This is an example of ATechnical Corrective B,
administrative, detective C,physical, preventive, d,
technical, compensating.
After malware outbreak, anorganization uses known clean
backups to restore effectivesystems.
(22:45):
This is an example of ATechnical Corrective B,
administrative, detective C,physical, preventive, d,
technical and compensating.
And the answer is A technicaland corrective.
Right Corrective is you know,you're fixing what's broken, so
(23:06):
you're correcting the problem,all right.
Next, in a legacy application.
A legacy application does notsupport multi-factor
authentication.
To mitigate the risk, thesecurity team implements strict
network segmentations andadditional monitoring.
This is an example of Acompensating B, detective C,
preventive, d, deterrent.
A legacy application does notsupport multi-factor
(23:30):
authentication.
To mitigate the risk, thesecurity team implements strict
network segmentations andadditional monitoring.
This is an example of Acompensating B detective C,
preventive, d, deterrent.
Give you a couple of secondsand the answer is compensating.
(23:50):
Right, you're compensatingsomething for something else,
all right.
Last one A company installs mantraps, bad readers, bad badge
readers and security guards atdata center entrance.
These are best described asadministrative controls,
physical, preventive controls,technical, corrective controls,
physical, detective controls.
A company installs man traps,bad readers and security guards
(24:15):
at data center.
They're best described asadministrative controls,
physical, preventive controls,technical corrective controls or
physical detective controls.
I'll give you a couple ofseconds to think about it.
And the answer is B physicaland preventive controls.
Right, think about it and theanswer is b physical and
preventive controls.
Right, they're preventingpeople from doing stuff that
they're not supposed to.
(24:35):
You know, do, right, I don'twant to get themselves in
trouble.
So they, you know, they put theman trap in there, which has
been replaced, right, they callman trap something else on the
path, that's man in the Middle.
I forgot, but they changed theword for Mantrap so you may not
(24:56):
see it anymore on the CompTIA.
Uh, I don't know, I forgot whatit was, but it's not Mantrap
anymore.
It's uh, on the Path.
No, on the Path is man in theMiddle, on the Path Attack.
So anyway, yep, but hope yougot them right.
If you got five out of five,pat yourself on the back.
(25:17):
You're almost ready to tacklechapter one.
So that's going to do it, guys.
For chapter one we are done,and next time we're going to
start on chapter 2.
Like I said, I think there's 16chapters.
There are 16 chapters in thisseries in the slides that I got
(25:41):
from Swordmaster, so I kind ofjust put them together as notes
and, yeah, I hope you like itand we'll see you next time.
And and welcome to TechnologyTap.
I'm Professor J-Rod.
In this episode we're going totalk about more.
Security Plus, chapter 1,welcome back.
(00:58):
So one of the reasons why Idecided to start with Security
Plus and not with A+, because Ithink Security plus is a little
bit different from all the otherexams.
I actually think out of thetrifecta, um, as far as easy,
order is a plus, of course,security plus, I think, is
(01:20):
second and network plus I thinkit's actually harder.
I think security plus if youknow it's a lot of definitions
and if you know the definitions,you you get the answer plus I I
think I find it easier isbecause if you but it's easier
in a sense, but if you take itin the order right, if you take
(01:40):
a, uh, a plus, network plus andsecurity+, by the time you get
to Security+ you're going tofind that it wasn't as hard as
Network+, I believe, because alot of the information that you
get from A+ and Network+ it'seither it's already in Security+
or it's assumed that you knowit.
So those of you who want totake a certification exam for IT
(02:06):
and want to jump straight intoSecurity Plus, I'm telling you
I've only seen one guy out examthat it's.
It's.
It makes it a lot easier if youknow yourself.
So if you take an A plus andEdward plus, this exam is a lot
(02:32):
easier, rather than coming infrom the cold.
I used to work for someone.
He's actually pretty famous onYouTube and you know LinkedIn
and all that stuff famous onYouTube and LinkedIn and all
that stuff and I used to teachclasses for him and I would tell
him the people who sign up forSecurity Plus, what do I do?
(02:55):
Because a lot of them don'tseem to know what they're doing.
He would say well, the class, Ithink, was like from 10 to 6.
So he goes at 1 o'clock, talkto them and see if they want,
you know, if they find it toohard, then he says I can always
switch them to the A-plus class.
He was really, really goodabout that and I would tell you
know, sometimes at 1 o'clock Iwould grab a couple of students
(03:17):
and I would say, hey, I thinkthis class is a little bit too
hard for you.
Why don't you go to the A-plusclass and start from there?
Because you know a lot of thesepeople.
They want to change theircareers right and they get
recommendations.
I remember one guy who was likewell, my brother-in-law told me
to take this class but hedidn't know anything about
computers.
And you know it's like adifferent language right by the
time you get to security plus.
(03:38):
If you don't know anythingabout IT, they're not going to
teach you.
You know about hardware.
They're not going to teach youthe port numbers.
That's not on this exam.
You should already know that bythe time that you're here.
That's the assumption that theymade, that CompTIA makes so.
But I think it's a lot easierif you've gone through the first
two.
(03:58):
It makes it a lot easier.
And I find this one to be a lotof definitions.
So if you know, you know, ifyou know the definitions you,
you know the answer.
All right, so we're doing uh,chapter one.
So we're part two.
We're going to talk aboutsecurity control configuration
uh categories.
Security controls are safeguardsor countermeasures used to
(04:20):
reduce risk and protectinformation systems.
They are categorized based ontheir function, implementation,
type and objectives Controlfunctions there are five
functional categories ofsecurity controls.
They are preventive, detective,corrective, deterrent and
(04:40):
compensating.
And as we go down, I'll giveyou like examples of each
Preventive stops an incidentfrom occurring.
Detective identify and alertwhen incidents occur.
Corrective remediates orrestores after an incident.
Deterrent discourage attacksthrough fear or awareness.
(05:03):
And compensating alternativecontrol when the primary control
is not feasible.
Control types by implementationthese are how the controls are
implemented the administrative,technical and physical.
The administrative is sometimescalled managerial Policies,
procedures, trainings and riskassessments.
Technical enforced by hardware,software, or sometimes known as
(05:29):
logical and physical tangibleprotections.
So examples of controls bycategory Preventive is firewalls
, access control, encryption.
Detective is IDS, ips, cctvv,audit logs, corrective patch
management, backups.
Deterrent security awarenessposters, security awareness
(05:52):
posters and guards.
Compensating manual review withautomated control is missing.
And a better example that islike using mfa when biometrics
is not, it's not working, allright, you compensating.
So security functions aregrouped by the functional
(06:12):
purpose, what they're designedto do when information security
system.
So preventive control the goalfor preventive controls to stop
security incidents before theyhappen.
So what do we use?
We use use firewalls, acls,security policy, user
authentication, encryption,antivirus, physical locks and
secure doors.
Detective controls their goalis to identify security
(06:36):
incidents when they occur andthey use intrusion detection
system, security information andevent management, audit logs
and monitoring, surveillancecameras, file integrity
monitoring, motion detectors.
Corrective controls the goal isto fix or restore systems after
a security incident has happened.
(06:58):
Example patch management,antivirus quarantine, backup or
recovery, incident responseprocedures, system re-imaging,
reboot script or automatedrepairs, deterrent controls.
The goal is to discourageattackers or inappropriate
behavior through warning andawareness.
Example warning banners right,you get those like all this you
(07:22):
know through emails and you getthem.
Like if you log into somebodyelse's system.
Right, if you log into theIRSgov, you get a warning saying
that this is a governmentwebsite.
Right, that's the kind ofwarning banner.
They're talking about Securityawareness training, which is
important for everybody,surveillance signs when you walk
in some place, legal and HRpolicies, and then visual
(07:45):
security measures, guards andcameras.
Compensating control Go issubstitute for primary control.
That is not feasible or hasfailed.
Example, like I gave youmulti-factor authentication when
biometric logging isunavailable, manual review
processes in place of automatedscanning, network segmentation
(08:07):
if encryption is not yetimplemented, and jump box use
instead of direct administrationaccess.
There is what they call a sixthtype of security control that is
often overlooked, and it'scalled directive control.
Directive controls are designedto guide, influence or
(08:28):
encourage secure behavior.
They don't prevent or detectthreats directly, but establish
expectations and providedirection on how users and
systems should behave.
They are typically policy-basedor behavioral and form the
foundation of broader security.
The purpose of directivecontrol is to promote desired
security behavior, establish asecurity mindset across an
(08:50):
organization, lay the groundworkfor other controls and often
pair with administrativecontrols.
Examples of directive controlsis acceptable use policy, code
of conduct, security trainingprograms, posters and reminders,
management directives andstandard operating procedures.
(09:12):
So directive controls areproactive and behavioral.
They rely on policy awarenessand leadership.
They help enforce the securityculture over organizations.
Now we're gonna talk aboutinformation security roles and
responsibilities.
In any organization, protectinginformation assets require
(09:34):
clearly defined roles andresponsibilities.
These roles help ensureaccountability, compliance and
effective risk management acrosstechnical and non-technical
teams, Start off with the chiefinformation security officer.
They define overall securitystrategy and vision, reports to
executive leadership, cio, ceoor board, oversee risk
(09:55):
management, compliance andincident response and align
security with business goals.
Next we have the informationsecurity manager manages
security staff and day-to-dayoperations, coordinates
incidents response and auditsand monitors compliance with
whatever standard you're usingright, nist, hipaa, ferpa, right
(10:18):
Security analysis.
They analyze, logs, alerts.
They monitor system SEMI andIDS IPS systems.
Investigates incidents andsupports incidents response,
conducts vulnerabilityassessments and report findings.
Security Engineer they designsecure networks and system
(10:40):
architecture.
They configure firewalls, vpn,ids, ips and access control.
They implement encryption andendpoint protection.
They work on secure developmentlifecycle.
Then you have your systemadministrator IT staff
Implements technical securitycontrols, patches systems and
maintains access control,supports backup and disaster
(11:05):
recovery processes, followssecurity procedures and enforced
policies.
Next you have your data owner.
Data owner determines dataclassification and access level,
improves access requests anddata sharing, ensures compliance
with legal and businessrequirements.
Data custodian maintains andprotects data on behalf of the
owner, backs up data, appliesencryption, maintains logs and
(11:29):
ensures data integrity andavailability.
End user follows securitypolicies, completes security
awareness training, reportssuspicious activity or incident
and uses the system in aresponsible or secure manner.
And then you have your incidentresponse team responses to
security incidents, perform rootcause analysis and containment,
(11:52):
coordinates with legal, pr andlaw enforcement as needed,
documents incidents for future,prevention and audits.
Right, so there you have it.
You have your CISO, securitymanager, security analyst,
security engineer, system admin,it staff, data owner, data
custodian, end user, incidentresponse team, system admin and
(12:15):
IT staff.
They're together, if you'retaking notes.
Information securitycompetencies refers to the
skills, knowledge and abilitiesrequired to effectively protect
an organization's data systemsand networks.
These competencies spantechnical, managerial and
behavioral domains that areessential for building a robust
(12:38):
cybersecurity workforce.
Core competency domains One istechnical competencies these
involve hand-on skills andtechnical knowledge to implement
and manage security systems.
Right skills and technicalknowledge to implement and
manage security systems you needto know cryptology, network
security, endpoint security,cloud security, identity access
management.
(12:58):
Managerial, strategiccompetencies these involve
planning, oversight, complianceand aligning security with
business needs.
Skill areas risk managementpolicy development, business
continuity, vendor riskmanagement policy development,
business continuity, vendor riskmanagement.
Then you have behavioral softcompetencies.
These are essential forteamwork, communications, ethics
(13:19):
and leadership in a securityrole Communication skills,
ethical decision making,analytical thinking, continuous
learning, collaboration andteamwork and attention to detail
.
So these are a lot of thethings I kind of try to teach in
my classes.
I always tell my students thatthe overall umbrella of IT is
(13:42):
communications.
Right, you know it's part ofthe communication network, it.
It falls under that umbrella ofcommunications and you have to
learn how to be a goodcommunicator.
If you cannot be a goodcommunicator, it's not going to
work.
And one of my, my first realjob that I got as an adult uh,
(14:05):
my old boss, um, he drilled thatinto me so much that I still
carry that to this day, like hejust would say just constantly
that oh, you got to communicate,communicate, communicate.
And he, and he would tell meyou know, if you don't
understand something, I'd ratherexplain it to you five times
(14:27):
than explain it to you Once youwalk away.
You don't understand and you doit wrong.
So he says if you, once youwalk away, you don't understand
and you do it wrong.
So he says if you, if he goes,I would never yell at you If I,
if you tell me, if I explainsomething to you and you come
back and you say I didn'tunderstand that, can you explain
it again?
Because I want you to do itright the first time and I want
you to walk away knowing that Iunderstand what he wants me to
(14:50):
do.
So I always appreciate that forhim, probably more now than I
did when I worked there.
I was a kid, so you know whatdid I know so, but I appreciate
a lot of the stuff that he toldme.
Unfortunately, he passed, butyou know, I still remember him.
All right, how do you buildthese competencies?
(15:10):
You take certification exams,lab and simulations, training
and boot camps, mentorship andinternship and continuous
education.
Let's see key informationsecurity responsibilities.
Of course, everybody in IT orsecurity has to know at least
(15:30):
some level of this riskassessments, access control,
user privilege, ordering logs,et cetera, et cetera.
Next, we have informationsecurity business units.
In a modern organization,infosec is not the
responsibility of a single team.
It spans multiple businessunits that collaborate to
protect systems, data andoperations.
(15:50):
Each unit plays a unique rolein enforcing confidentiality,
integrity and availabilityacross the enterprise.
First is we're going to talkabout information security.
They manage all securitytechnologies and policies.
They're responsible for riskmanagement, incident response,
security operations,vulnerability assessments,
(16:11):
penetration testing, testing,security policies, framework
compliance oversight.
Next, we have IT networkoperations.
Their core functions maintainnetwork technology
infrastructure and they'reresponsible for implementing and
managing security controls,patch management system,
hardening, backup and recoveryprocedures.
Then we have compliance legaland audit Core function ensure
(16:34):
regulatory and legal adherenceResponsibilities.
They interpret laws like HIPAA,gdpr, pci, dss and SOC.
They manage security audits,ensure documentation and they
address data breaches from alegal standpoint.
Human resources core functionsmanage employees' life cycle and
conduct responsibilities.
(16:55):
Enforce security-relatedpolicies, coordinate security
training and awareness programs,handle insider threat and
investigations.
In partnership with InfotechFinance, their core functions is
budgeting and procurement,responsible for funding security
tools and personnel, managevendor risk and financial fraud
prevention and align investmentwith security priorities.
(17:19):
Executive leadership, theC-suite or the board the core
function is strategic oversight.
Responsibilities is to set thetone for security culture,
approve security budgets andframework and assess enterprise
risk and support complianceprograms.
Next is the business continuityteam.
(17:40):
Core responsibility is makesure that they do whatever they
have to do to keep the businessup and running.
Responsibilities is develop andtest business continuity and
recovery plans, coordinate withIT and InfoSec during outages or
incidents, ensuremission-critical services can be
restored quickly.
Next is the training andawareness unit.
(18:02):
Core function is fostersecurity culture and they're
responsible for develop userawareness programs, communicate
incidents, procedures and policychanges and coordinate
simulations.
And there's a lot ofcross-functioning collaboration.
Right for incidents response,you need the infotech team, it,
(18:24):
legal, hr, communication.
For risk management, you needinfosec, executive compliance
and finance.
For security, you need InfoSec,executive compliance and
finance.
For security, you need HRtraining, infosec and
communications.
And for vendor risk management,you need procurement, legal and
InfoSec.
So how they work together theycontinue monitoring and
(18:47):
detecting, they develop securecode development, response to
cyber attacks and the root causeanalysis, recovery.
They all work as a team.
So this is very important thatyou have some kind of strategy
(19:08):
or hierarchy to deal with andbreak up your stuff into teams.
And these are not all like ITpeople, right?
Hr is not IT.
Sometimes, compliance is not IT.
Obviously, legal is not IT.
So it's more than just financeis not IT, right, it's more than
(19:28):
just IT people, when you haveto think of these kind of teams
that you're building or you'reputting together, so they don't
necessarily have to beIT-centric.
All right, now that we've gonethrough it, let's go over some
(19:49):
questions, right?
Um, security control questions.
So he's going to be the firstone and I'll put these on tiktok
.
That way, you can.
You can.
Some people are visual people,so I'll put it on tiktok.
It's at professor jrod, that'sj-r-o-d and you gotta.
You know, professorp-r-o-f-e-s-s-o-r, j-r-o-d.
(20:09):
And you got to.
You know, professorP-R-O-F-E-S-S-O-R, j-r-o-d.
Look for that on TikTok and youwill find me there with the
same questions.
All right, number one a companyrequires all employees to attend
annual cybersecurity awarenesstraining.
Which type of security controlsdoes this represent?
A technical and preventive.
(20:31):
B administrative and deterrent.
C administrative and preventive.
D physical and detective.
Company requires employees toattend annual cyber security
awareness training.
Which type of security controls.
Does this represent a technicaland preventive, b
administrative and deterrent, cadministrative and preventive, d
.
D physical and detective?
(20:52):
Give you five seconds to thinkabout it and the answer is C
administrative and preventive.
Right, the administrative sideis again, a company requires all
employees to take annualcybersecurity training.
So on the administrative side,they plan all that and it's to
prevent people from clicking onstuff that they shouldn't be
(21:14):
clicking on right.
Next, preventive versusdetective An IDS intrusion
detection system is deployed ina data center to monitor and
alert on suspicious networktraffic.
What type of control is this?
A Technical and preventive, bTechnical and detective, c
Administrative and corrective.
(21:36):
D Physical and deterrent.
Again, an IDS is deployed in adata center to monitor and alert
on suspicious network traffic.
What type of control is this?
A Technical and preventive, bTechnical and detective, c this
a technical and preventive.
B the technical and detective.
C administrative and corrective.
D physical and deterrent.
(21:57):
I'll give you a couple ofseconds to think about it and
the answer is what do you think?
The answer is guys, those ofyou who are those of you who are
smart out there the answer istechnical and detective.
Right, that's number two.
Number three after a malwareoutbreak and organizations use
(22:23):
known organizations using knowncleanup backups to restore
effective systems.
This is an example of ATechnical Corrective B,
administrative, detective C,physical, preventive, d,
technical, compensating.
After malware outbreak, anorganization uses known clean
backups to restore effectivesystems.
(22:45):
This is an example of ATechnical Corrective B,
administrative, detective C,physical, preventive, d,
technical and compensating.
And the answer is A technicaland corrective.
Right Corrective is you know,you're fixing what's broken, so
(23:06):
you're correcting the problem,all right.
Next, in a legacy application.
A legacy application does notsupport multi-factor
authentication.
To mitigate the risk, thesecurity team implements strict
network segmentations andadditional monitoring.
This is an example of Acompensating B, detective C,
preventive, d, deterrent.
A legacy application does notsupport multi-factor
(23:30):
authentication.
To mitigate the risk, thesecurity team implements strict
network segmentations andadditional monitoring.
This is an example of Acompensating B detective C,
preventive, d, deterrent.
Give you a couple of secondsand the answer is compensating.
(23:50):
Right, you're compensatingsomething for something else,
all right.
Last one A company installs mantraps, bad readers, bad badge
readers and security guards atdata center entrance.
These are best described asadministrative controls,
physical, preventive controls,technical, corrective controls,
physical, detective controls.
A company installs man traps,bad readers and security guards
(24:15):
at data center.
They're best described asadministrative controls,
physical, preventive controls,technical corrective controls or
physical detective controls.
I'll give you a couple ofseconds to think about it.
And the answer is B physicaland preventive controls.
Right, think about it and theanswer is b physical and
preventive controls.
Right, they're preventingpeople from doing stuff that
they're not supposed to.
(24:35):
You know, do, right, I don'twant to get themselves in
trouble.
So they, you know, they put theman trap in there, which has
been replaced, right, they callman trap something else on the
path, that's man in the Middle.
I forgot, but they changed theword for Mantrap so you may not
(24:56):
see it anymore on the CompTIA.
Uh, I don't know, I forgot whatit was, but it's not Mantrap
anymore.
It's uh, on the Path.
No, on the Path is man in theMiddle, on the Path Attack.
So anyway, yep, but hope yougot them right.
If you got five out of five,pat yourself on the back.
(25:17):
You're almost ready to tacklechapter one.
So that's going to do it, guys.
For chapter one we are done,and next time we're going to
start on chapter 2.
Like I said, I think there's 16chapters.
There are 16 chapters in thisseries in the slides that I got
(25:41):
from Swordmaster, so I kind ofjust put them together as notes
and, yeah, I hope you like itand we'll see you next time.
Popular Podcasts
Stuff You Should Know
If you've ever wanted to know about champagne, satanism, the Stonewall Uprising, chaos theory, LSD, El Nino, true crime and Rosa Parks, then look no further. Josh and Chuck have you covered.
Dateline NBC
Current and classic episodes, featuring compelling true-crime mysteries, powerful documentaries and in-depth investigations. Follow now to get the latest episodes of Dateline NBC completely free, or subscribe to Dateline Premium for ad-free listening and exclusive bonus content: DatelinePremium.com
Cardiac Cowboys
The heart was always off-limits to surgeons. Cutting into it spelled instant death for the patient. That is, until a ragtag group of doctors scattered across the Midwest and Texas decided to throw out the rule book. Working in makeshift laboratories and home garages, using medical devices made from scavenged machine parts and beer tubes, these men and women invented the field of open heart surgery. Odds are, someone you know is alive because of them. So why has history left them behind? Presented by Chris Pine, CARDIAC COWBOYS tells the gripping true story behind the birth of heart surgery, and the young, Greatest Generation doctors who made it happen. For years, they competed and feuded, racing to be the first, the best, and the most prolific. Some appeared on the cover of Time Magazine, operated on kings and advised presidents. Others ended up disgraced, penniless, and convicted of felonies. Together, they ignited a revolution in medicine, and changed the world.