Domaine 7 · 13% Exam weight

Security Operations

Domain 7 is the day-to-day execution domain: detect, contain, recover. It covers forensics and chain of custody, logging and intrusion detection (IDS/IPS, SIEM/SOAR), continuous monitoring (ISCM), operational principles (least privilege, separation of duties, PAM), the incident lifecycle, then resilience: backups, RAID, recovery sites, and BCP/DRP. It is 13% of the exam and the ground where concepts from other domains become procedures.

(ISC)² CBK Objectives

The 15 official learning areas of Domain 7. Click an objective for detail.

Objective A

Understand and comply with investigations

Diagramme — Understand and comply with investigations

4 investigation types (see D1). In practice: isolate without destroying, document every action (chain of custody), preserve volatility (RAM before disk), work on bit-for-bit copies (disk imaging).

Key points

  • Order of volatility: registers/RAM → cache → disk → archives
  • Imaging: MD5/SHA fingerprint before and after
  • Never boot a compromised host on its own OS
Objective B

Conduct logging and monitoring activities

Diagramme — Conduct logging and monitoring activities

SIEM centralizes logs, correlates them, triggers alerts. Sources: OS, apps, network, endpoint (EDR), cloud (CloudTrail). Challenges: volume, signal/noise, false positives. SOAR to automate response to repetitive alerts.

Key points

  • Tamper-proof logs: WORM, signatures, SIEM separate from prod
  • NTP synchronized or correlation fails
  • UEBA detects anomalous behavior without signatures
Objective C

Perform configuration management (CM)

Diagramme — Perform configuration management (CM)

Maintain a known/documented state of all systems. CMDB = live inventory. Hardened baselines (CIS Benchmarks). Drift detected by scanner (Chef Inspec, OpenSCAP). IaC (Terraform) = codified, reproducible configuration.

Key points

  • Configuration drift = #1 cloud incident cause
  • IaC + GitOps = auditable baseline
  • Accurate CMDB = prerequisite for other controls
Objective D

Foundational security operations concepts

Diagramme — Foundational security operations concepts

Need to know, least privilege, SoD, dual control, job rotation, mandatory vacation (forced rotation to surface fraud), privileged access monitoring. These principles aren't D1-only: they materialize in daily operations.

Key points

  • Mandatory vacation: forced leave ≥ 5 consecutive days to surface ongoing fraud
  • Admin: separate user/privileged accounts
  • PAM (CyberArk, BeyondTrust) for vaulting + session recording
Objective E

Apply resource protection

Diagramme — Apply resource protection

Protect tangible and intangible assets: data, systems, media, documentation, crypto keys. DLP (data loss prevention) in transit and at rest. Physical media protection (encrypted storage, certified destruction).

Key points

  • DLP: pattern detection (credit cards, SSN) + upload/email block
  • Crypto keys = most sensitive asset: HSM + SoD
  • Destruction: certificate + witness
Objective F

Conduct incident management

Diagramme — Conduct incident management

IR cycle: Prepare → Detect → Analyze → Contain → Eradicate → Recover → Lessons Learned. Pre-defined playbooks per type (ransomware, data breach, DDoS, insider). Internal + external comms (customers, regulators).

Key points

  • Preparation > reaction: written playbooks save lives
  • Isolation ≠ shutdown - preserve for forensics
  • Blameless post-mortem = real learning
Objective G

Operate preventative and detective measures

Diagramme — Operate preventative and detective measures

Firewalls, IDS/IPS, antivirus/EDR, WAF, sandboxing, honeypot (decoy for detection), threat intel (STIX/TAXII), application allowlisting. Combination of preventive + detective + corrective controls.

Key points

  • EDR > classic antivirus (behavior vs signature)
  • Honeypot = high signal value (all activity = suspect)
  • Shared threat intel: MISP, ISACs
Objective H

Patch and vulnerability management

Diagramme — Patch and vulnerability management

Continuous vulnerability scanning (Nessus, Qualys, OpenVAS), prioritization by CVSS + exploitability (EPSS) + exposure (asset criticality). Patch waves: test → pilot → prod. SLA: critical 24-72 h, high 30 d.

Key points

  • EPSS = real exploitation probability, complements CVSS
  • Virtual patching (WAF) while waiting for official patch
  • Measure patch MTTR, not just % coverage
Objective I

Understand and participate in change management

Diagramme — Understand and participate in change management

Request → Review (CAB) → Approve → Test → Deploy → Verify → Close. Distinguish standard changes (pre-approved, automatable), normal (CAB), emergency (E-CAB post-implementation). Every change must be traceable and reversible.

Key points

  • Rollback plan mandatory before deployment
  • Freeze periods (critical events, year-end close)
  • Change mgmt ≠ configuration mgmt (CM = state, Change = transition)
Objective J

Implement recovery strategies

Diagramme — Implement recovery strategies

Backups: 3-2-1 (3 copies, 2 media, 1 off-site). Types: full, incremental (restore full + all), differential (restore full + latest). Immutable against ransomware. Periodic restore test.

Key points

  • Modern 3-2-1-1-0: +1 immutable/air-gapped, 0 errors at test
  • An untested backup does not exist
  • RPO driven by backup frequency
Objective K

Disaster Recovery (DR) processes

Diagramme — Disaster Recovery (DR) processes

The DRP is the IT aspect of BCP: system recovery after major disaster. Sites: hot (minutes), warm (1-2d), cold (1-2w), mobile. Architecture: multi-region, multi-AZ cloud, async/sync replication.

Key points

  • Shorter RTO = more expensive
  • Cloud: multi-region = native DR if properly configured
  • Document runbooks, not just architecture
Objective L

Test disaster recovery plans (DRP)

Diagramme — Test disaster recovery plans (DRP)

5 levels: desk check (read), table-top (roleplay), simulation (scenario without touching prod), parallel (switch to secondary without stopping prod), full interruption (prod cut - risky, semi-annual max).

Key points

  • Gradually increase intensity
  • Full interruption = ultimate proof but business risk
  • Documented tests = audit evidence
Objective M

Participate in business continuity planning and exercises

Diagramme — Participate in business continuity planning and exercises

BCP goes beyond IT: crisis comms, finance, legal, HR, facilities. Each department has its share. Cross-team exercises (e.g. cyberattack + fire) reveal hidden dependencies.

Key points

  • Crisis cell: predefined roles (leader, comms, tech, legal)
  • Annual exercises minimum, varied scenarios
  • Lessons learned = assigned action items
Objective N

Implement and manage physical security

Diagramme — Implement and manage physical security

Perimeter, access control (badges, biometrics, mantraps), CCTV, guards, intrusion (detectors, alarms), environmental (fire, flood, HVAC, UPS). Defense in depth applied to facilities.

Key points

  • CCTV: 30-90 d retention, privacy zones
  • Human guards complement, don't replace tech
  • Datacenter: extra rules (Tier, fire, raised floor, cages)
Objective O

Personnel safety and security concerns

Diagramme — Personnel safety and security concerns

Safety > security when in conflict: human life first. Evacuation plans, first aid, travel security (risk countries), duress (under-threat signal), workplace violence. Wellness against burnout.

Key points

  • Fire: life first, not data
  • Duress code: discreet word/signal to alert without tipping off
  • Travel: burner phone, clean device, VPN

Key concepts

Order of volatility

Ranks evidence sources from most volatile to most durable, dictating collection order: CPU registers and cache > RAM > network state and connection tables > temporary files and active disk > durable media (disks, archives, backups). Capture the most volatile first; RAM is unrecoverable once powered off, hence a memory dump before any shutdown.

Chain of custody

Documented traceability of evidence from collection to presentation, answering who/what/where/why/when for every handling. Preserve the original via write-blocking and analyse bit-level copies. A single missing link makes the evidence challengeable. The four presentation tenets: admissibility, accuracy, comprehensibility, objectivity.

IDS vs IPS

An IDS (intrusion detection system) detects and alerts a human, without interrupting traffic. An IPS (intrusion prevention system) detects AND automatically acts to block. Placements: perimeter (DMZ, north-south), host-based (HIDS/HIPS on endpoints), network-based (NIDS/NIPS on segments, east-west) - combine them. Methods: signature (known), deviation/heuristic (unknown, false positives), pattern matching (leaks, DLP).

SIEM and SOAR

The SIEM (Security Information and Event Management) aggregates, normalises, correlates, and stores heterogeneous logs to turn scattered events into high-confidence alerts; off-host storage matters because log deletion is itself an IoC. SOAR (Security Orchestration, Automation and Response) adds tool orchestration, playbook automation, and response - speeding up and standardising the SOC's reaction.

Continuous monitoring (ISCM)

ISCM (Information Security Continuous Monitoring, NIST SP 800-137) maintains ongoing awareness of security posture, vulnerabilities, and threats to support risk-management decisions. Distinct from log management (NIST SP 800-92): ISCM is the continuous monitoring of posture, while log management is the lifecycle handling of the logs that feed it.

Least privilege, SoD, PAM

Least privilege = the strict minimum of rights; need-to-know = access only to the information required (orthogonal to privilege). Separation of Duties (SoD) splits a sensitive task across people to neutralise single-person fraud. PAM (Privileged Account Management) manages, monitors, and vaults high-privilege accounts; just-in-time (JIT) identity grants elevation only for the time needed, shrinking the standing attack surface.

Incident lifecycle

NIST SP 800-61: Preparation > Detection & Analysis > Containment, Eradication & Recovery > Post-Incident Activity. ISO/IEC 27035 offers an equivalent cycle. An event is any observable fact; an incident is an event (or series) that threatens security. The cheat sheet summarises the response as Detect, Respond, Report, Recover, Remediate, Review.

Containment vs eradication

Containment = limit the spread of damage (isolate hosts, segment, cut a flow) without yet removing the cause. Eradication = eliminate the root cause (malware, compromised account, exploited vulnerability). Recovery = return systems to clean production; remediation = fix durably to prevent recurrence. The order is containment BEFORE eradication.

Backups 3-2-1 and types

3-2-1 rule: 3 copies, on 2 media types, 1 of them off-site (modern variant +1 immutable, 0 test errors). Full = everything, clears the archive bit. Incremental = since the last backup (full or incr.), clears the bit; restore = full + all incrementals. Differential = since the last full, keeps the bit; restore = full + last differential.

RAID levels

RAID 0 = striping (fast, 0 redundancy). RAID 1 = mirroring. RAID 5 = striping + distributed parity, n disks give n-1 usable and tolerate 1 failure. RAID 6 = dual parity, tolerates 2 failures (n-2 usable). RAID 10 = mirror + stripe (best perf/reliability ratio). Trap: RAID provides availability, it is NOT a backup - it protects against neither deletion nor ransomware.

Recovery sites and RTO/RPO/MTD

Sites: hot (minutes, ready to use, costly), warm (1-2 days), mobile (3-5 days), cold (1-2 weeks, empty shell). MTD = the total tolerable downtime of a process; RTO = the max time to restore a resource (drives the recovery technology); RPO = tolerable data loss (drives backup frequency). Golden rule: RTO ≤ MTD, and MTD = RTO + WRT.

DR test types

Five tests by increasing intensity: read-through/tabletop (around a table, cheapest and least intrusive), walk-through (travelling to the sites), simulation (scripted drill mobilising staff, e.g. a fire evacuation), parallel (the alternate site runs alongside production), full interruption (real cutover, production is taken down - the riskiest and most costly).

Locard's exchange principle

Every contact leaves a trace: each attacker action deposits artifacts (logs, files, registry) and removes others. The basis of forensics: no intrusion is traceless.

Clipping level

Threshold below which benign, repetitive events raise no alert (e.g. 3 tolerated login failures). Set too high, it hides a low-and-slow attack.

Resilience: HA, fault tolerance, QoS

High availability targets uptime (redundancy), fault tolerance targets uninterrupted continuity despite a failure, Quality of Service (QoS) guarantees bandwidth/latency/priority to critical flows.

Frameworks & standards

FrameworkRole
NIST SP 800-61 Incident response lifecycle (Preparation, Detection & Analysis, Containment/Eradication/Recovery, Post-Incident).
ISO/IEC 27035 Information security incident management (international standard).
NIST SP 800-92 Reference guide for computer security log management.
NIST SP 800-137 Information Security Continuous Monitoring (ISCM) - ongoing posture monitoring.
NIST SP 800-86 Integrating forensics into incident response (Collection > Examination > Analysis > Reporting cycle).
NIST SP 800-34 Contingency planning for IT systems - basis of DRP/BCP (US).
ISO 22301 Business continuity management system (BCMS, international).
NIST SP 800-88 Guidelines for Media Sanitization - Clear, Purge, Destroy against data remanence.
ITIL v4 IT service management: incident, problem, and change enablement.
CIS Benchmarks / SCAP Automatable hardening baselines for configuration.

Acronyms

AcronymMeaning
IDS Intrusion Detection System - detects and alerts
IPS Intrusion Prevention System - detects and blocks
NIDS Network IDS - sensor on a network segment
HIDS Host IDS - agent on an endpoint
SIEM Security Information & Event Management
SOAR Security Orchestration, Automation & Response
ISCM Information Security Continuous Monitoring (NIST 800-137)
DLP Data Loss Prevention
UEBA User and Entity Behavior Analytics
IoC Indicator of Compromise
CMDB Configuration Management Database
SCAP Security Content Automation Protocol
RFC Request For Change
CAB Change Advisory Board
PAM Privileged Account Management
JIT Just-In-Time identity - temporary elevation
SoD Separation of Duties
RTO Recovery Time Objective
RPO Recovery Point Objective
MTD Maximum Tolerable Downtime
WRT Work Recovery Time
BIA Business Impact Analysis
RAID Redundant Array of Independent Disks
SAN Storage Area Network
NAS Network Attached Storage
CSIRT Computer Security Incident Response Team
SOC Security Operations Center
CPTED Crime Prevention Through Environmental Design
MDM Mobile Device Management
PIR Passive Infrared sensor