Domain 1 of 5

General Security Concepts

Domain · 12% of the SY0-701 exam

This domain is the vocabulary the other four domains presume

Assuming only general IT literacy, this domain gets you to where you classify any control or crypto mechanism in the exam's terms. General Security Concepts is the smallest-weighted domain (12%) but it defines the classification language every later scenario reuses: control category and type, the CIA triad and its DAD inverse, AAA, non-repudiation, zero-trust roles, and the cryptographic primitives. When a Security Architecture or Operations item asks you to choose a control or a crypto mechanism, it is testing whether you can name it precisely in this domain's terms. Treat the four subtopics as a shared dictionary rather than isolated facts: a wrong category label (calling a managerial policy a technical control) or a wrong property claim (saying a hash gives confidentiality) is a wrong answer no matter how well you understand the rest of the exam.

Every concept here answers 'which goal, delivered by which mechanism'

The unifying pattern across all four subtopics is a goal-to-mechanism mapping that must be exact. A control type maps an objective to the threat lifecycle (preventive stops, detective discovers, corrective restores); the CIA triad maps a control to confidentiality, integrity, or availability; cryptography maps a mechanism to a guaranteed property (encryption gives confidentiality, hashing gives integrity, a digital signature gives integrity plus authentication plus non-repudiation). Exam distractors work by offering a mechanism that delivers the wrong property. Encryption proposed where the requirement is to prove the message was not altered, or a deterrent control where the scenario needs to actually block the action. Anchor on the requested goal first, then pick the single mechanism that delivers exactly that goal and no more.

Classification axes are independent. Never let one collapse into another

The domain repeatedly pairs two orthogonal axes that exam items try to conflate. A control has one category (technical, managerial, operational, physical) AND one type (preventive, deterrent, detective, corrective, compensating, directive); category says who or what implements it, type says what it does to a threat, and changing the purpose never changes the category. The same independence appears in cryptography: key length is not comparable across algorithm families (a 256-bit ECC key and a 256-bit AES key are unrelated), and a cipher's symmetric/asymmetric nature is separate from the property it provides. Multi-membership is resolved by the scenario's emphasised verb, not by averaging the axes. A CCTV camera is technical because it is hardware and detective because it records, and naming it 'physical' confuses the camera with the wall it is mounted on.

Modern security replaces implicit trust with a governed, per-decision model

Zero trust and change management are the same idea applied to two different surfaces, and the domain pairs them deliberately. Zero trust (NIST SP 800-207) removes implicit trust based on network location: a policy decision point (the policy engine plus policy administrator) decides every request against policy, and a separate policy enforcement point acts on that decision, granting access per session with least privilege. Change management removes implicit trust in modifications: every production change passes a governed gate (owner, impact analysis, recorded test results, documented backout plan, maintenance window) before work begins, and the version-controlled record is the audit trail. In both, the security weakness is the ungoverned default (a flat network with standing trust, or an unapproved undocumented change) because each removes the decision point and the ability to recover or attribute.

Which security goal each core mechanism delivers

MechanismConfidentialityIntegrityAuthenticationNon-repudiationCanonical SY0-701 use
Symmetric encryption (AES)YesNoNoNoFast bulk data encryption at rest / in transit
Asymmetric encryption (RSA, ECC)YesNoNoNoWrap or exchange a symmetric key (hybrid crypto)
Cryptographic hash (SHA-256)NoYesNoNoIntegrity verification; keyless one-way fingerprint
HMAC (keyed hash)NoYesYesNoKeyed integrity and origin auth without proof of origin to third parties
Digital signatureNoYesYesYesProve a message is unaltered AND came from the key holder
Salting + key stretching (bcrypt, Argon2)NoYesNoNoSlow, per-password hashing that defeats rainbow tables

Subtopics in this domain