Domain 7 Security Operations 13%
7.1 Understand and comply with investigations
- Evidence collection and handling
- Reporting and documentation
- Investigative techniques
- Digital forensics tools, tactics, and procedures
- Artifacts (e.g., data, computer, network, mobile device)
7.2 Conduct logging and monitoring activities
- Intrusion detection and prevention system (IDPS)
- Security information and event management (SIEM)
- Security orchestration, automation and response (SOAR)
- Continuous monitoring and tuning
- Egress monitoring
- Log management
- Threat intelligence (e.g., threat feeds, threat hunting)
- User and Entity Behavior Analytics
7.4 Apply foundational security operations concepts
- Need-to-know/least privilege
- Segregation of Duties (SoD) and responsibilities
- Privileged account management
- Job rotation
- Service-level agreements (SLA)
7.5 Apply resource protection
- Media management
- Media protection techniques
- Data at rest/data in transit
7.6 Conduct incident management
- Detection
- Response
- Mitigation
- Reporting
- Recovery
- Remediation
- Lessons learned
7.7 Operate and maintain detection and preventative measures
- Firewalls (e.g., next generation, web application, network)
- Intrusion detection systems (IDS) and intrusion prevention systems (IPS)
- Whitelisting/blacklisting
- Third-party provided security services
- Sandboxing
- Honeypots/honeynets
- Anti-malware
- Machine learning and artificial intelligence (AI) based tools
7.8 Implement and support patch and vulnerability management
7.9 Understand and participate in change management processes
7.10 Implement recovery strategies
- Backup storage strategies (e.g., cloud storage, onsite, offsite)
- Recovery site strategies (e.g., cold vs. hot, resource capacity agreements)
- Multiple processing sites
- System resilience, high availability (HA), Quality of Service (QoS), and fault tolerance
7.11 Implement disaster recovery (DR) processes
- Response
- Personnel
- Communications (e.g., methods)
- Assessment
- Restoration
- Training and awareness
- Lessons learned
7.12 Test disaster recovery plan (DRP)
- Read-through/tabletop
- Walkthrough
- Simulation
- Parallel
- Full interruption
- Communications (e.g., stakeholders, test status, regulators)
7.13 Participate in Business Continuity (BC) planning and exercises
7.14 Implement and manage physical security
- Perimeter security controls
- Internal security controls
7.15 Address personnel safety and security concerns
- Travel
- Security training and awareness (e.g., insider threat, social media impacts, two-factor authentication (2FA) fatigue)
- Emergency management
- Duress