Skip to content

Domain 7 Security Operations 13%

7.1 Understand and comply with investigations

  • Evidence collection and handling
  • Reporting and documentation
  • Investigative techniques
  • Digital forensics tools, tactics, and procedures
  • Artifacts (e.g., data, computer, network, mobile device)

7.2 Conduct logging and monitoring activities

  • Intrusion detection and prevention system (IDPS)
  • Security information and event management (SIEM)
  • Security orchestration, automation and response (SOAR)
  • Continuous monitoring and tuning
  • Egress monitoring
  • Log management
  • Threat intelligence (e.g., threat feeds, threat hunting)
  • User and Entity Behavior Analytics

7.3 Perform configuration management (CM) (e.g., provisioning, baselining, automation)

7.4 Apply foundational security operations concepts

  • Need-to-know/least privilege
  • Segregation of Duties (SoD) and responsibilities
  • Privileged account management
  • Job rotation
  • Service-level agreements (SLA)

7.5 Apply resource protection

  • Media management
  • Media protection techniques
  • Data at rest/data in transit

7.6 Conduct incident management

  • Detection
  • Response
  • Mitigation
  • Reporting
  • Recovery
  • Remediation
  • Lessons learned

7.7 Operate and maintain detection and preventative measures

  • Firewalls (e.g., next generation, web application, network)
  • Intrusion detection systems (IDS) and intrusion prevention systems (IPS)
  • Whitelisting/blacklisting
  • Third-party provided security services
  • Sandboxing
  • Honeypots/honeynets
  • Anti-malware
  • Machine learning and artificial intelligence (AI) based tools

7.8 Implement and support patch and vulnerability management

7.9 Understand and participate in change management processes

7.10 Implement recovery strategies

  • Backup storage strategies (e.g., cloud storage, onsite, offsite)
  • Recovery site strategies (e.g., cold vs. hot, resource capacity agreements)
  • Multiple processing sites
  • System resilience, high availability (HA), Quality of Service (QoS), and fault tolerance

7.11 Implement disaster recovery (DR) processes

  • Response
  • Personnel
  • Communications (e.g., methods)
  • Assessment
  • Restoration
  • Training and awareness
  • Lessons learned

7.12 Test disaster recovery plan (DRP)

  • Read-through/tabletop
  • Walkthrough
  • Simulation
  • Parallel
  • Full interruption
  • Communications (e.g., stakeholders, test status, regulators)

7.13 Participate in Business Continuity (BC) planning and exercises

7.14 Implement and manage physical security

  • Perimeter security controls
  • Internal security controls

7.15 Address personnel safety and security concerns

  • Travel
  • Security training and awareness (e.g., insider threat, social media impacts, two-factor authentication (2FA) fatigue)
  • Emergency management
  • Duress