General Security Concepts is the foundational domain of the CompTIA Security+ SY0-701 exam, covering the core principles that underpin all of cybersecurity. In plain English, this domain teaches you the 'why' behind security—why we need confidentiality, integrity, and availability (the CIA triad), how to manage risk, and what controls (like firewalls, encryption, or policies) actually do. It’s like learning the rules of the road before driving: you’ll understand threats, vulnerabilities, and the mindset to protect data and systems.
This domain is critical for real-world IT, security, and cloud work because every security decision—from configuring a cloud bucket to responding to a breach—starts with these concepts. For example, when you set up AWS S3 permissions, you’re applying the principle of least privilege. When you patch a server, you’re reducing risk. Understanding these fundamentals helps you communicate with stakeholders, justify security spending, and avoid common mistakes that lead to data leaks. Employers expect you to think like a security professional, not just a technician.
On the SY0-701 exam, this domain tests your ability to define and apply security concepts across scenarios. You’ll be asked to identify which control (deterrent, preventive, detective, corrective, compensating, directive) fits a given situation—like a security guard (deterrent) vs. an IDS (detective). You’ll also need to understand risk management terms (likelihood, impact, RPO, RTO), types of threats (malware, social engineering, supply chain), and the difference between vulnerability and threat. Expect multiple-choice questions that give a short scenario and ask for the best control or concept.
To study this domain effectively, focus on memorizing the definitions and then applying them to practice questions. Start with the CIA triad and non-repudiation. Then learn the control types by creating mnemonics (e.g., 'Prevent, Detect, Correct'). Use flashcards for terms like 'vulnerability' vs. 'threat' vs. 'risk'. Finally, practice with scenario-based questions from CompTIA’s official study materials or a reputable test bank. Don’t just read—quiz yourself daily. This domain is 12% of the exam, so you need to master it, but it’s also the easiest to score high on if you practice.
General Security Concepts covers the foundational principles of cybersecurity, including the CIA triad, risk management, security controls, and threat types, which are tested through scenario-based questions on the SY0-701 exam.
Define and apply the CIA triad (confidentiality, integrity, availability) to scenarios like encrypting data at rest (confidentiality) or hashing files (integrity).
Identify and differentiate security control types: deterrent (e.g., warning signs), preventive (e.g., firewalls), detective (e.g., IDS), corrective (e.g., backups), compensating (e.g., alternative controls), and directive (e.g., policies).
Understand risk management concepts: risk = likelihood x impact, and terms like RPO (Recovery Point Objective) and RTO (Recovery Time Objective) in disaster recovery.
Recognize common threat actors and vectors: insider threats, APTs, ransomware, phishing, and supply chain attacks.
Apply the principle of least privilege and defense in depth to network or system design scenarios.
Differentiate between vulnerability, threat, and risk, and identify appropriate mitigation strategies.
Common exam traps
Where candidates lose marks on General Security Concepts
⚠Confusing preventive and detective controls: a firewall is preventive, but an IDS is detective; many candidates mix them up.
⚠Misapplying the CIA triad: e.g., thinking encryption only provides integrity, when it primarily provides confidentiality.
⚠Overlooking the difference between a vulnerability (a weakness) and a threat (something that exploits it); exam questions often test this distinction.
⚠Assuming all compensating controls are temporary; they can be permanent if the primary control is too costly or complex.
SY0-701 General Security Concepts — Practice Questions
30 questions from this objective · 12% of your SY0-701 exam
A security engineer writes a script that computes SHA-256 hashes of critical server configuration files every night and sends an alert if any hash value has changed since the previous night. Which security goal is this control primarily designed to protect?
A financial institution updates its access control policy to require that two different system administrators must approve and execute any changes to the core transaction processing database. Which security principle is this practice primarily designed to enforce?
A security architect is designing the network security posture for a new branch office. The plan includes a next-generation firewall at the perimeter, an intrusion prevention system on the internal network, mandatory multi-factor authentication for all remote access, and quarterly security awareness training for employees. The architect explains that these controls are independent of each other so that a failure in any single control does not leave the entire network unprotected. Which security concept is the architect primarily implementing?
A security analyst at a hospital is reviewing user permissions in the electronic health record (EHR) system. The analyst discovers that all nursing staff accounts are members of the 'Administrators' group, which grants full read and write access to all patient records, as well as the ability to modify system configuration settings. The nursing staff's job responsibilities only require viewing and updating records for patients currently assigned to them. Which security principle is most directly violated by this configuration?
A defense contractor is deploying a new document management system that will store classified military intelligence. The security policy requires that user access to each document is strictly determined by the document's classification label (e.g., Confidential, Secret, Top Secret) and the user's verified security clearance level. Furthermore, system administrators must not be able to change these access rules or grant themselves access to documents above their clearance. Which access control model is best suited for this requirement?
A security analyst is investigating a data integrity incident where an attacker exploited a vulnerability in a web application to alter customer account balance records in the database. The analyst identifies the exact records that were modified and restores those records from a verified read-only backup taken prior to the attack. Which security goal is the analyst primarily addressing by restoring the records from backup?
A software vendor distributes critical security updates for its application through a public download website. The vendor wants to allow customers to verify that each update originated from the vendor and has not been modified in transit. Which of the following cryptographic techniques should the vendor apply to the update files before posting them for download?
A financial institution is implementing a new policy for all remote access to its payment processing system. The system will generate a unique digital signature for each administrative action, and all actions will be recorded in a tamper-evident audit log that is replicated to an immutable storage location. The primary objective of this policy is to ensure that administrators who perform sensitive operations cannot later deny having executed them. Which security goal is this policy primarily intended to enforce?
A security auditor is reviewing the access controls for a payroll application. The auditor discovers that a single user, the payroll manager, has permissions to both create new employee records and then approve and process salary payments for those records. The company's security policy requires that no single individual should be able to execute both the creation and the approval of a payment for the same employee. Which of the following security principles is the company's policy attempting to enforce?
A security architect is designing a defense strategy for a database containing sensitive customer records. The architect implements a network firewall to restrict inbound traffic to only the application server, enforces file-level encryption for the database files, requires multi-factor authentication for all administrative access, and deploys a database activity monitoring system to alert on unusual queries. Which security principle is the architect primarily applying?
A company is enhancing its network security posture. The security team deploys a system that passively monitors network traffic, analyzes packets for signs of malicious activity, and generates alerts when suspicious patterns are detected. This system does not actively block or modify any traffic. Which type of security control does this system BEST represent?
A company wants one document that tells employees what they are required to do when handling company systems and data. Which document type is the best fit?
A legal team must send a confidential contract to a partner so only the intended recipient can read it, and the partner also needs assurance the file really came from your company. Which approach best meets both needs?
Based on the exhibit, what should be implemented to reduce the blast radius if a backup server is compromised later?
Backup job configuration:
algorithm=AES-256-GCM
key_file=/opt/backup/key.bin
rotation=disabled
same_key_for_all_sites=true
backup_media copied to an offsite vault each night
Exhibit
Backup job configuration:
algorithm=AES-256-GCM
key_file=/opt/backup/key.bin
rotation=disabled
same_key_for_all_sites=true
backup_media copied to an offsite vault each night
Based on the exhibit, what is the best fix so role changes are reflected promptly in the application?
Token and directory data:
09:10 Token issued for user jdoe
groups=[Finance_Approver, Expense_Reviewer]
auth_time=09:10
exp=17:10
09:15 HR updated directory: jdoe moved to Sales
11:00 The application still accepts the original token and allows expense approval
11:01 Identity provider logs show no token revocation event
Exhibit
09:10 Token issued for user jdoe
groups=[Finance_Approver, Expense_Reviewer]
auth_time=09:10
exp=17:10
09:15 HR updated directory: jdoe moved to Sales
11:00 The application still accepts the original token and allows expense approval
11:01 Identity provider logs show no token revocation event
Based on the exhibit, which additional control is the best fit to prevent employees from copying sensitive reports to removable media?
Exhibit
Current controls on finance laptops:
- Full-disk encryption enabled
- SIEM alerting on impossible-travel logins
- Weekly security awareness reminders
- USB ports left enabled for engineering and finance teams
Incident summary:
- Two finance users copied monthly revenue files to personal flash drives after downloading them
- Internet access and email must remain available for normal work
The security team configures the badge system so employees must present both a badge and a PIN before entering the data center. The access logs are reviewed weekly for failed attempts. Which pair of control types best describes these measures?
Based on the exhibit, what is the best governance improvement?
Data handling procedure:
- Managers may approve external sharing exceptions verbally.
- Staff record exceptions in email threads.
- No retention period is defined for exception evidence.
Audit note: multiple exceptions could not be traced to an approver.
Exhibit
Data handling procedure:
- Managers may approve external sharing exceptions verbally.
- Staff record exceptions in email threads.
- No retention period is defined for exception evidence.
Audit note: multiple exceptions could not be traced to an approver.
A development team signs branch-router firmware before deployment. The same code-signing private key is stored on two build servers, and a compromise of either server would let an attacker sign malicious updates that look legitimate. Which two changes best reduce the cryptographic risk while preserving the ability to sign trusted releases? Select two.
Based on the exhibit, which document should be created or updated to make these settings mandatory and measurable?
Endpoint baseline draft:
- Full-disk encryption should be enabled on all corporate laptops.
- Screen lock should activate after 15 minutes of inactivity.
- Users should choose strong passwords.
Related documents:
Policy: Acceptable Use Policy
Standard: none
Procedure: Laptop imaging steps
Guideline: Suggested hardening tips
Exhibit
Endpoint baseline draft:
- Full-disk encryption should be enabled on all corporate laptops.
- Screen lock should activate after 15 minutes of inactivity.
- Users should choose strong passwords.
Related documents:
Policy: Acceptable Use Policy
Standard: none
Procedure: Laptop imaging steps
Guideline: Suggested hardening tips
A company wants to make sure only approved administrators can view and rotate a shared encryption secret used by several applications. What is the best way to manage that secret?
A help desk receives an email from an employee asking to urgently reset MFA because they are traveling and locked out. The sender address matches the employee's name but uses a slightly different domain. What is the best action for the help desk agent?