CISSP domain 7: Security operations — What you need to know for the exam [Updated 2022]
With the rise of cybercrime to a near exponential level, you may ask, “what is the front line in this battle with cybercrime?” The closest thing to a front line is the day-to-day security operations (aside from end points) of an organization. Be it a security operations center (SOC), logging and monitoring, insertable media management and maintaining preventive measures, or even security training and awareness— security operations can be considered one of the first lines of defense against the constant threat of cybercrime.
The 7th domain of the CISSP certification exam covers security operations. The day-to-day security tasks are not limited to an information security professional monitoring security incidents in a dark SOC computer lab. Instead, security operations is a broad categorization of information security tasks that ranges from how an organization handles security investigations to applying resource protection to maintaining detective measures.
Earn your CISSP, guaranteed!
This article will detail the wide range of subdomains covered in domain 7 of CISSP and their respective objectives. It will finish up with further information you will need to know about domain 7, so you can ace the 2021 update of the CISSP certification exam.
CISSP domain 7: Security operations
Below are the subdomains and objectives covered by domain 7, which make up 13% of the material covered on the CISSP certification exam:
Understand and comply with investigations
- Evidence collection and handling
- Reporting and documentation
- Investigative techniques
- Digital forensics tools, tactics, and procedures
- Artifacts (e.g., computer, network, mobile device)
Conduct logging and monitoring activities
- Intrusion detection and prevention
- Security Information and Event Management (SIEM)
- Continuous monitoring
- Egress monitoring
- Log management
- Threat intelligence (e.g., threat feeds, threat hunting)
- User and Entity Behavior Analytics (UEBA)
Perform Configuration Management (CM) (e.g., provisioning, baselining, automation
Apply foundational security operations concepts
- Need-to-know/least privilege
- Separation of Duties (SoD) and responsibilities
- Privileged account management
- Job rotation
- Service Level Agreements (SLAs)
Apply resource protection
- Media management
- Media protection techniques
Conduct incident management
- Detection
- Response
- Mitigation
- Reporting
- Recovery
- Remediation
- Lessons learned
Operate and maintain detective and preventative measures
- Firewalls (e.g., next generation, web application, network)
- Intrusion Detection Systems (IDS) and Intrusion Prevention Systems (IPS)
- Whitelisting/blacklisting
- Third-party provided security services
- Sandboxing
- Honeypots/honeynets
- Anti-malware
- Machine learning and Artificial Intelligence (AI) based tools
Implement and support patch and vulnerability management
Understand and participate in change management processes
Implement recovery strategies
- Backup storage strategies
- Recovery site strategies
- Multiple processing sites
- System resilience, High Availability (HA), Quality of Service (QoS), and fault tolerance
Implement Disaster Recovery (DR) processes
- Response
- Personnel
- Communications
- Assessment
- Restoration
- Training and awareness
- Lessons learned
Test Disaster Recovery Plans (DRP)
- Read-through/tabletop
- Walkthrough
- Simulation
- Parallel
- Full interruption
Participate in Business Continuity (BC) planning and exercises
Implement and manage physical security
- Perimeter security controls
- Internal security controls
Address personnel safety and security concerns
- Travel
- Security training and awareness
- Emergency management
- Duress
Now that you are familiar with the objectives and subdomains let’s look more closely at security operations information that will assist you as you get ready for the CISSP certification exam. You can find more information, such as a complete listing of the domains and CISSP linear examination weights, in the CISSP exam outline.
Earn your CISSP, guaranteed!
Artifacts
New for the 2021 CISSP exam update, this topic addresses artifacts, which are the things left behind from a security incident that may form a trail of when something happened and what happened. These clues are important for a security investigation and should be preserved as much as possible. Artifacts can reside on computers, network devices, and mobile devices.
New topics covered by conduct logging and monitoring activities
This subdomain covers some topics that are new for the 2021 CISSP exam update. These new topics are:
Log management — refers to the organization and lifecycle of logs. Logs cannot last forever, but they need to be around for long enough so a third-party tool or SIEM can ingest the data in the log and for admins to have enough time to remediate any issues found within them.
Threat intelligence — this is threat-related data that can help in minimizing threats. Examples of threat intelligence are threat feeds and threat hunting.
User and entity behavior analytics (UEBA) — this is a more cutting-edge area of information security that analyzes both user and system behavior to determine a baseline of what is considered normal and to help detect anomalous behavior. It can be thought of as similar to how financial institutions detect fraudulent activity based on anomalous use of a consumer credit card.
Patch management vs. vulnerability management
Some may use patch management and vulnerability management interchangeably, which is mistaken. Patches are software updates that are provided by vendors and patch management is the process of managing all of the patches across an organizational environment. A good patch management system includes automatic detection and download of new patches, automatic distribution of patches, reporting on patch compliance, and automatic rollback capabilities.
Vulnerability management focuses on vulnerabilities, which are ways an environment is at risk. The risk referred to here is that which would cause your environment to be compromised or degraded. Vulnerability management solutions can scan an environment looking for vulnerabilities. Be ready to explain zero-day vulnerabilities and zero-day exploits on the exam.
Change management
Change management is an area of security operations that may get overlooked. It refers to a structured way an organization handles changes in its environment. The goals of change management are to minimize risk, improve user experience, and provide consistency regarding changes that occur. Organizations approach change differently, but some commonly seen change management steps are:
- Identify the need for a change
- Test the change in a lab
- Put in a change request
- Obtain approval
- Send out notifications
- Perform the change
- Send out “all clear” notifications
Earn your CISSP, guaranteed!
Conclusion
Domain 7 of the CISSP certification exam covers security operations. This area of CISSP material can be thought of as one of the first lines of defense against cyber threats and exploits. It covers a wide range of security tasks across different areas of information security. Use this article as you prepare for the CISSP certification exam, and you will have a solid start in mastering this exam material.
For more on the CISSP certification, view our CISSP hub.
Sources
- Exam Pass Guarantee
- Live expert CISSP instruction
- CISSP exam voucher
In this Series
- CISSP domain 7: Security operations — What you need to know for the exam [Updated 2022]
- CISSP certification - The ultimate guide [updated 2021]
- The CISSP domains and CBK: An overview
- CISSP certification salary: A comprehensive 2024 salary guide
- Definition & types of access control models & methods (updated 2023)
- CISSP domain 4: Communications and network security — What you need to know for the exam [2022 update]
- CISSP domain 5: Identity and access management — What you need to know for the exam [Updated 2022]
- CISSP domain 6: Security assessment and testing — What you need to know for the exam [Updated 2022]
- CISSP domain 8 overview: Software development security — What you need to know for the exam [Updated 2022]
- CISSP and DoD 8570/8140: What you need to know [Updated 2022]
- Top 10 CISSP interview questions [Updated 2022]
- CISSP domain 1: Security and risk management — What you need to know for the exam
- The ISC2 code of ethics: A binding requirement for certification
- The CISSP experience waiver [updated 2022]
- Earning CPE credits to maintain the CISSP
- Renewal requirements for the CISSP [updated 2022]
- CISSP computerized adaptive testing (CAT): 25 of your questions answered
- CISSP job outlook [updated 2022]
- CISSP resources: Books, practice exams and other study tools [updated 2022]
- CISSP exam questions: 5 drag & drop and hotspot questions
- Risk management concepts and the CISSP (Part 2) [Updated 2022]
- What is the CISSP-ISSAP? Information Systems Security Architecture Professional [updated 2021]
- Average ISSEP Salary in 2021
- Average ISSMP Salary [updated 2021]
- CISSP domain 3: Security engineering CISSP - What you need to know for the exam [2022 update]
- Understanding the CISSP exam schedule: Duration, format, scheduling and scoring [updated 2021]
- What is the CISSP-ISSEP? Information Systems Security Engineering Professional [updated 2021]
- Information and asset classification in the CISSP exam
- CISSP domain 2: Asset security - What you need to know for the Exam [updated 2021]
- 8 tips for CISSP exam success [updated 2021]
- Risk management concepts and the CISSP (part 1) [updated 2021]
- Average ISSAP Salary in 2021
- What is the CISSP-ISSMP? Information Security System Management Professional [updated 2021]
- CISSP concentrations (ISSAP, ISSMP & ISSEP) [updated 2021]
- Due care vs. due diligence and the CISSP
- CISSP prep: Security policies, standards, procedures and guidelines
- Vulnerability and patch management in the CISSP exam
- Data security controls and the CISSP exam
- Logging and monitoring: What you need to know for the CISSP
- Data and system ownership in the CISSP exam
- CISSP Prep: Mitigating access control attacks
- CISSP Domain 5 Refresh: Identity and Access Management
- Identity Governance and Administration (IGA) in IT Infrastructure of Today
- CISSP CAT Exam Deep Dive: Study Tips from InfoSec Institute Alum Joe Wauson
- CISSP: Incident management
- CISSP: Business continuity planning and exercises
- CISSP: Perimeter defenses
- CISSP: Secure communication channels
- Environmental controls and the CISSP
- CISSP: Disaster recovery processes and plans
- Change management and the CISSP
