Continuing with the series, this article will focus on a very important domain of CISSP from which you can expect a lot of questions in the exam. Domain 7 in CISSP is Security Operations. The main agenda of this domain is to test a candidate’s knowledge of investigations process, incident response framework, the change management processes, BCP/DR processes, physical security, etc.

So let’s begin with the main points with regard to Domain 7.

  • Understand Locard’s Exchange Principle: According to this principle, whenever a crime is committed, the person who did evil leaves something and take something in return. What is left over is used to identify the person responsible.
  • Chain of custody: It should represent all aspects how evidence is handled. Any missing link in the chain of custody will raise questions about the integrity of the evidence.
  • Difference between Fail-Safe and Fail-Secure: Fail-safe provides minimum harm to systems/personnel’s when a system fails, whereas fail-secure blocks access while the system in not in a consistent state.
  • Difference between classification and categorization: Classification ensures that information is marked in such a way that it provides a clear description about the clearance level associated with that system, whereas categorization is a way to determine the loss of confidentiality, integrity, or availability if an information is lost.
  • Understand the complete Information Life Cycle:
    • Creation
    • Distribution
    • Use
    • Maintenance
    • Disclosure
    • Disposal
  • Degaussers are used to erase data saved to magnetic media. The following terms are important
    • Coercivity: Amount of energy required to reduce the magnetic fields on device to zero.
    • Remanence: The left-over magnetic field after degaussers are applied.
  • Understand incident handling and response phases
    • Triaging phase: This phase is mostly used to filter out false positives and concentrate on real incidents.
    • Investigation phase:
      • Containment phase
      • Analysis phase
      • Recovery phase
  • Root cause analysis: It focuses on “What led to the incident?”
    • Ishikawa Diagram: Cause and effect diagram
    • Five why’s
    • Fault tree analysis
    • Pareto analysis
    • Change analysis
    • Cause mapping
    • Casual factor analysis
    • Apollo root cause analysis
    • Rapid problem resolution problem diagnosis
  • Backup strategies and recovery:
    • Backup: Understand the difference between following types of backup strategies
      • Differential: It copies only those files that have had their data changed since last full backup. This requires more space than incremental backup.
      • Incremental: It takes copies of only those files that have changed since the last full or incremental backup i.e. backup works on incremental basis. This kind of backup strategy takes more time in restoration.
    • Recovery Sites:
      • Redundant center: This site is for those applications that cannot afford any downtime. This is a very expensive option.
      • Internal hot site: All the necessary equipment and technology needed to run the application is positioned at this internal hot site. However, note that in an internal hot site, there are no applications or data on site.
      • External hot site: As compared to internal hot site, this site has only equipment ready within data center but the complete environment for applications to operate needs to be rebuilt.
      • Mobile site: This site is mostly a mobile trailer and is equivalent to a data center on wheels.
      • Cold site: This is an empty data center with nothing on the floor.
      • Warm Site: This site is partially configured with cabling, cooling, HVAC, and computers, etc., but the actual servers are delivered only at the time of disaster.
  • Drives and data storage
    • SAN: This is a dedicated level of storage operated at the block level, which can be a network across storage devices like optical drives, disk arrays, etc.
    • NAS: This is used to basically store and retrieve files. It is different from a SAN in that it operates at the file level.
    • JBOD: Just-a-bunch-of-drives that will provide basic data storage.
    • RAID: Redundant array of independent disks. The following RAID levels are important :
      • RAID 0: Writes files in stripes across multiple disks without use of parity information. Minimum number of disks required is 2. This provides fast reading and writing but does not provide redundancy.
      • RAID 1: This disk creates identical copies of drives so that redundancy is provided. Space is effectively utilized, since half will be given to another disk and therefore it is very expensive.
      • RAID 3: Data is striped across multiple disks at byte level.
      • RAID 4: Data is striped across multiple disks at block level.
      • RAID 5: Data and parity Information is striped together across all drives.
      • RAID 0+1: First set of disks stripes all of the data across the available drives and those drives are mirrored to a different set of disks.
      • RAID 1+0: Each drive in the first set of drives is mirrored to a matching drive in the second set.
    • RAIT: Redundant array of independent tapes; it utilizes striping without stripping.

CISSP Instant Pricing- Resources

  • Journaling: It is a technique used by the DB admins to provide redundancy for transactions.
  • Electronic vaulting: It is used to back up systems over a geographical separate location, which is known as a vault site.
  • Understand the difference in roles and responsibilities between business continuity manager, coordinator, and departments.
  • Understand the types of external monitoring systems, such as infrared sensors, microwave sensors, coaxial strain sensitive cable, etc. Also understand the two items below:
    • Lighting system : Continuous lighting, standby lighting, movable lighting, emergency lighting and egress lighting
    • Cameras: Outdoor, fixed position camera, dome camera, IP camera, PTZ camera, etc.
  • Understand the following testing strategy types:
    • Structured walkthrough: Test plans are properly communicated with team member and proper plan layout is prepared.
    • Simulation test: This test simulates a disaster.
    • Parallel test: This test is conducted to show controls are working at alternate location
    • Full-scale test