A comprehensive study guide covering cybersecurity roles and responsibilities, the Security Operations Center (SOC), NIST SP 800-53 (18 control families), control categories (technical/operational/managerial/administrative), functional control types (preventative/detective/corrective), additional control types (physical/deterrent/compensating/responsive), and selecting controls using the CIA triad.
Objective 2.5 — Vulnerability response, handling and management
1
Cybersecurity Roles & Responsibilities
A cybersecurity analyst is defined by CompTIA as a senior position with direct responsibility for protecting sensitive information and preventing unauthorized access to electronic data and the systems that protect it. They are the network defenders — responsible for every device that processes or stores organizational information.
C-Suite
CISO
Chief Information Security Officer — executive-level governance and leadership. Reports alongside CEO/COO/CIO. Sets security strategy and budget.
Manager
Security Manager / Engineer
Manages analyst teams (reports to CISO). Engineer designs entire security architecture. Manager oversees daily SOC operations.
Senior
Senior Cybersecurity Analyst
Intermediate to senior position. Oversees junior analysts. Leads incident response. Performs risk assessments and penetration tests.
Junior
Junior Cybersecurity Analyst
Entry into analyst role. Typically requires 2–4 years as a specialist/technician first. Monitors SOC, reviews alerts, investigates indicators of compromise.
Entry
Specialist / Technician
Hands-on configuration under an analyst's direction. Covered by Security+. This is the starting point — get here first, then build toward analyst.
Other cybersecurity roles
Cybercrime Investigator
Digital forensics focus — collecting, preserving, and analysing evidence for legal proceedings. Handles post-incident investigation and chain of custody.
Incident Response Analyst
Specialises in responding to data breaches and cyberattacks. Works to contain, eradicate, and recover from security incidents. Part of the CSIRT (Computer Security Incident Response Team).
Penetration Tester
Breaks into systems with permission to identify vulnerabilities. Conducts authorised ethical hacking engagements. Reports findings so defenders can fix them before real attackers exploit them.
What makes a good cybersecurity analyst?
Creative thinker
Attackers don't follow scripts. You need to think outside conventional patterns to anticipate novel attack vectors and design defensive countermeasures that weren't in the playbook.
Problem solver
Synthesise fragmented data from multiple systems, apply threat intelligence, and arrive at accurate conclusions under time pressure. Communicate complex technical findings in non-technical terms to executive stakeholders.
2
Security Operations Center (SOC)
A Security Operations Center (SOC) is a location where security professionals monitor and protect critical information assets — the single point of contact for all security monitoring and incident response. Junior analysts (many) work under senior analysts (few) reviewing logs and alerts to find Indicators of Compromise (IoCs).
Who has SOCs
Large corporations, government agencies, and healthcare organisations (due to high cost to establish and maintain). Smaller organisations often outsource to third-party commercial SOCs providing "Security as a Service."
SOC vs. service desk
The SOC handles security — access management, identity management, incident response. It must NOT become a general IT service desk. That's a separate function. The SOC is the single point of contact for security issues specifically.
What every SOC needs to succeed
Authority to operate — Organisational policy must empower the SOC to take action (e.g. shut down a server during an incident) even when that impacts business operations. Without authority, the SOC is powerless during a crisis.
Motivated and skilled professionals — Automation handles the known-good and known-bad. Humans handle the uncertain middle. Analysts must think critically through ambiguous data. No algorithm replaces experienced judgement.
Integrated processes — Security workflows must be centralised and documented. Incident response procedures, escalation paths, and investigation workflows must all be standardised and consistently applied.
Incident response capability — The SOC leads when breaches occur. Containment, eradication, recovery, and post-incident review are all SOC functions. They get the network back to a known-good baseline.
Self-protection — The SOC itself is a high-value target. If attackers compromise the SOC's systems, they gain visibility into the defender's knowledge and can blind the monitoring operation. SOC infrastructure must be as hardened as the systems it protects.
Signal-to-noise separation — Terabytes of log data arrive daily. Analysts must separate known-good (allow), known-bad (block), and uncertain (investigate). The uncertain middle is where analyst value is created.
Inter-SOC collaboration and threat sharing — Threat intelligence is more powerful when shared. If one SOC detects a new attack pattern, sharing that with peer SOCs enables collective defence. Threat intelligence sharing (ISACs, ISAOs, vendor feeds) multiplies defensive capability across organisations.
3
NIST SP 800-53 — Security Control Framework
The NIST Special Publication 800-53 — "Security and Privacy Controls for Federal Information Systems and Organizations" — is the primary framework for organising and selecting security controls. It's publicly available (free PDF download), making it the most widely adopted framework globally. ISO 27001 is an equivalent international standard but requires a paid licence.
18 control families
SP 800-53 organises controls into 18 families: Access Control, Accountability/Audit, Awareness and Training, Configuration Management, Contingency Planning, Identification and Authentication, Incident Response, Maintenance, Media Protection, Personnel Security, Physical and Environmental Protection, Planning, Program Management, Risk Assessment, Security Assessment, System and Services Acquisition, System and Communications Protection, System and Information Integrity.
Purpose: proactive, not reactive
Historical security was reactive — a new threat appeared and a control was deployed to stop it (firewall → AV → IDS). This keeps defenders one step behind attackers. SP 800-53 provides a framework for proactively selecting controls based on identified risk — getting ahead of threats before they occur.
Defence in depth
No single control is perfect — everything has a vulnerability. SP 800-53 encourages layering primary controls with complementary controls so that when one layer fails, the next layer still provides protection. The longer a control can delay an attack, the more effective it is.
Exam note on SP 800-53: You do not need to memorise all 18 families or read the entire document for the exam. Know: (1) it exists and what it's called, (2) it's published by NIST, (3) it's publicly free, (4) it covers federal information systems, (5) it provides a catalogue of controls in families. It's an on-the-job reference, not an exam memorisation target. The control categories (technical/operational/managerial) were removed in SP 800-53 Revision 4, but CompTIA still uses them — don't fight the exam on this.
4
Control Categories — Technical, Operational & Managerial
These three categories describe how a control is implemented. Note: these were removed from SP 800-53 Revision 4 onward because many controls span multiple categories. However, CompTIA still tests them on CySA+, so know them well.
Technical (= Logical)
Implemented through hardware, software, or firmware. Both terms mean the same thing — the distinction is purely terminology from different standards. Controls are implemented in the system itself. Examples: firewalls, antivirus, encryption, patches, ACLs, IDS/IPS, authentication systems.
Operational
Implemented primarily by people rather than technology. Addresses human behaviour and procedure. Examples: security guards, employee security awareness training, background checks, physical patrol procedures, incident response drills.
Managerial
Provides oversight of the information system. Focused on planning, policy, risk assessment, and governance — the management layer above technical and operational. Examples: risk identification programmes, vulnerability assessment frameworks, audit and compliance reviews, security planning documents.
Administrative (hybrid)
When operational and managerial controls blend together and can't be cleanly separated. Example: a vulnerability management programme — it has managerial oversight (planning/policy), operational components (technicians performing scans), and technical tools (Nessus/OpenVAS). The hybrid category acknowledges this overlap.
5
Functional Control Types — Preventative, Detective & Corrective
These three types describe what function a control performs — its goal relative to an attack. A single control can simultaneously fit multiple functional types.
🛡
Preventative
Eliminates or reduces the likelihood that an attack succeeds. Acts before the attack occurs. Does not guarantee 100% prevention — reduces probability.
Does not prevent access but identifies and records attempted or successful intrusions. Acts during or after the event. Provides evidence for investigation and response.
Eliminates or reduces the impact of an intrusion after it has occurred. Restores systems to normal operation. Acts after the event to recover from damage.
Data backups and restore, patch management (post-exploit), incident response procedures, system reimaging
Memory trick for functional types: Security Camera = Detective (records what happened, doesn't stop it). Door Lock = Preventative (stops access before it happens). Backup restore = Corrective (fixes damage after the fact). These real-world analogies will help you categorise any control quickly on the exam.
6
Additional Control Types — Physical, Deterrent, Compensating & Responsive
🏢 Physical
Acts against in-person intrusion attempts. Protects physical premises and hardware. Can overlap with preventative, detective, or corrective categories — physical is a property of the control, not a separate functional axis.
Discourages intrusion attempts through psychological influence — the perception of security is enough to redirect an attacker to a softer target. The control doesn't need to actually prevent access; it just needs to make the attacker decide not to try.
Security company signs on fence, "This property is monitored by CCTV" notices, visible security guards, alarm system indicator lights
⚖ Compensating
Substitutes for a primary control when the ideal control can't be implemented — providing equivalent protection through a different mechanism. Must be formally approved, documented, and reviewed. Used when cost, compatibility, or operational constraints prevent the principal control.
Smart card + PIN instead of long complex password. Network isolation instead of patching an unpatched legacy device. Additional monitoring for an unencryptable endpoint.
⚡ Responsive
Actively monitors for vulnerabilities or attacks and takes automated action to mitigate them before (or as) damage occurs. Goes beyond detection to active response. Combines monitoring with real-time automated countermeasures.
Firewall blocking malicious IP in real-time, IPS dropping attack traffic, EDR quarantining malware automatically, SIEM auto-revoking a compromised account
7
The Security Control Type Matrix
Controls can be classified on two independent axes simultaneously: Category (how it's implemented: Technical/Operational/Managerial) and Function (what it does: Preventative/Detective/Corrective). Any control occupies a position in this matrix — often spanning multiple cells.
Security Control Classification Matrix — Category × Function
Post-incident reviews, lessons-learned documentation, security policy updates after breach
Controls span multiple matrix cells. A vulnerability management programme (like Nessus + policies + procedures) is simultaneously Technical (scanner tool), Operational (technician performs the scan), and Managerial (risk oversight). NIST removed these categories from SP 800-53 Rev 4 precisely because this overlap caused confusion. For the exam: understand the concepts, don't over-compartmentalise.
8
Selecting Controls with the CIA Triad
When selecting security controls, always evaluate your risk through the lens of the CIA triad. Each tenet maps to a different class of control and a different type of vulnerability it solves. No single control covers all three — you need multiple controls for full coverage.
C
Confidentiality
→ Encryption
Encrypted hard drive. TLS on web traffic. AES-256 for data at rest. Access controls (who can read this?). Encrypted backups. DLP preventing exfiltration.
I
Integrity
→ Hashing
Digital signatures on emails. File integrity monitoring (hashing). HTTPS certificate validation. Backup integrity checking. Version control and checksums.
A
Availability
→ Redundancy
Cloud elasticity/auto-scaling. RAID storage arrays. Load balancers. UPS and backup power. Offsite backups. Clustering and failover. DDoS mitigation.
Worked example — selecting controls for a gap
Scenario: A company has a database backup solution that uses hashing to validate integrity as data is written to backup media. Which control should be added to ensure full CIA coverage?
Integrity ✓ (covered)
Hashing the backup validates that data hasn't been tampered with during the write process. The I in CIA is satisfied.
Availability ✓ (covered)
Having a backup in the first place ensures data can be recovered if lost. The A in CIA is satisfied.
Confidentiality ✗ (gap)
The backup data is not encrypted — if the backup media is stolen, anyone can read it. Missing. Add: encryption of the backup AND/OR access controls restricting who can access the backup. Now CIA is fully covered.
Exam approach: When a scenario asks you to recommend a control — first identify which CIA tenet is unaddressed. If there's no encryption, it's a Confidentiality gap. If there's no hashing or integrity verification, it's an Integrity gap. If there's no redundancy, failover, or backup, it's an Availability gap. Then match the appropriate control type to fill that specific gap.
Exam
Quick Reference Cheat Sheet
Cybersecurity analyst role
Senior position — direct responsibility for protecting sensitive information. Requires 2–4 years as a specialist/technician first. Functions: implement/configure security controls, work in SOC, lead incident response, conduct risk/vulnerability assessments and pen tests, maintain threat intelligence, advise on compliance. Must be creative thinker and problem solver. CISO = ultimate authority (C-suite level).
Security Operations Center (SOC)
Single point of contact for security monitoring and incident response. Many junior analysts supervised by senior analysts. Find indicators of compromise (IoCs) in logs. Needs: authority to operate, skilled staff, integrated processes, incident response capability, self-protection, signal/noise separation, inter-SOC threat sharing. SOC ≠ service desk. Smaller orgs outsource to commercial SOC providers.
NIST SP 800-53
Security and Privacy Controls for Federal Information Systems. 18 control families. Free public document (download from NIST website). More widely adopted than ISO 27001 (which costs money). Framework for proactive, risk-based control selection. Defence in depth = layering primary + complementary controls. Control categories (technical/operational/managerial) removed in Rev 4+ but CompTIA still tests them.
Control categories (how implemented)
Technical = hardware/software/firmware (= Logical — same thing). Examples: firewall, antivirus, encryption, patch. Operational = people and processes. Examples: security guards, awareness training. Managerial = oversight and governance. Examples: risk assessments, audits, security planning. Administrative = hybrid of operational + managerial. Controls often span multiple categories — don't over-compartmentalise.
Functional types (what they do)
Preventative = stops attacks before they succeed (firewall, AV, MFA, encryption). Detective = records attempts but doesn't stop them (logs, cameras, IDS, SIEM alerts). Corrective = reduces impact after intrusion (backup restore, patch deployment, incident response). Memory: door lock=Preventative, security camera=Detective, backup restore=Corrective. Controls can be multiple functional types simultaneously.
Additional control types
Physical = acts against in-person intrusions (locks, guards, cameras, bollards, alarms). Can also be preventative, detective, or corrective. Deterrent = psychological discouragement without actual blocking (security signs, visible cameras, alarm stickers). Compensating = substitute for primary control when ideal isn't feasible (smart card + PIN instead of complex password). Responsive = actively monitors AND takes automated action (IPS dropping traffic, EDR quarantining malware).
CIA triad for control selection
C (Confidentiality) → Encryption. What are you using to prevent unauthorised viewing? I (Integrity) → Hashing. What are you using to prove data hasn't been altered? A (Availability) → Redundancy. What are you using to ensure access is maintained? Identify which tenet is unaddressed, then select the control that fills that gap. No single control covers all three — layering is required.