Segmentation, firewalls, endpoint protection, remote access, and device management.
This chapter covers the structural design choices that support a secure environment. The exam focus is on how architecture and network controls limit exposure, contain compromise, and support monitored access.
Security-architecture questions should identify the control layer before selecting the control. Segmentation, perimeter filtering, endpoint hardening, remote-access design, and mobile-device governance address different failure points.
| Control layer | What it primarily does | Common ISC trap |
|---|---|---|
| Network segmentation | Limits movement and isolates higher-risk systems or data. | Assuming one perimeter control protects all internal resources equally. |
| Firewalls and IDPS | Filters traffic and detects or blocks suspicious activity. | Treating detection as prevention without response procedures. |
| Endpoint hardening and patching | Reduces device-level vulnerability and misconfiguration risk. | Focusing on network controls while unmanaged endpoints remain exposed. |
| VPN, wireless, and remote access | Secures access from outside trusted network boundaries. | Allowing remote access without authentication, encryption, and monitoring controls. |
| MDM and BYOD | Governs portable devices, personal devices, configuration, and data protection. | Treating personal-device convenience as if it removes organizational risk. |
| Step | What to do | Why it matters on ISC |
|---|---|---|
| 1. Identify the protected asset | Determine whether the risk concerns systems, data, endpoints, networks, users, or remote connectivity. | Architecture choices must match what needs protection. |
| 2. Locate the control layer | Decide whether the best response is segmentation, perimeter filtering, endpoint hardening, remote-access control, or device governance. | Controls fail when they are applied at the wrong layer. |
| 3. Distinguish prevention and detection | Separate blocking controls from monitoring, alerting, logging, and response mechanisms. | IDPS and firewalls do not eliminate risk without response procedures. |
| 4. Evaluate access paths | Review VPN, wireless, privileged access, BYOD, and third-party connectivity. | Many architecture weaknesses arise at the edge of the trusted network. |
| 5. Confirm monitoring and maintenance | Check patching, configuration management, log review, exception handling, and periodic reassessment. | Security architecture degrades when controls are not maintained after design. |
| Checkpoint | Exam use | What to avoid |
|---|---|---|
| Asset boundary | Identify the system, data store, endpoint group, network zone, or remote-access path being protected. | Selecting a control before knowing what exposure it is meant to reduce. |
| Segmentation logic | Determine whether the design limits lateral movement, separates sensitive systems, or isolates untrusted traffic. | Relying on a perimeter firewall while internal zones remain flat. |
| Preventive versus detective control | Separate blocking, hardening, authentication, logging, alerting, and response functions. | Treating detection tools as if they automatically prevent compromise. |
| Endpoint condition | Check patch status, configuration baseline, malware protection, privilege, and device management. | Protecting the network while unmanaged endpoints remain a direct entry path. |
| Remote access governance | Confirm encryption, authentication, authorization, monitoring, and device rules for offsite connections. | Allowing convenience-based access without compensating controls. |