Exam Weight: 13%
Domain 7 is where “the rubber meets the road.” It focuses on the day-to-day practicalities of running a security program, responding to incidents, and ensuring the business stays afloat during a disaster. It is heavily focused on procedures, investigations, and recovery.
1. Investigations and Evidence
As a security researcher, you’ll recognize this as the “forensics” section. The key is maintaining the Chain of Custody.
- Administrative: Internal investigations into policy violations.
- Criminal: Investigating violations of law (requires “beyond a reasonable doubt”).
- Civil: Disputes between parties (requires “preponderance of evidence”).
- Evidence Rules:
- Best Evidence: Original documents/disks rather than copies.
- Secondary Evidence: Copies or oral testimony (less weight).
- Hearsay: Evidence not from personal knowledge (usually inadmissible).
- Forensic Flow: Identify → Preserve → Analyze → Report.
2. Incident Response (IR)
The exam follows the standard 6-step IR lifecycle. You must know these in order:
- Preparation: Training, tools, and policy (the most important step).
- Detection/Identification: Noticing something is wrong.
- Containment: Limiting the damage (e.g., isolating a VLAN).
- Eradication: Removing the root cause (e.g., deleting malware).
- Recovery: Restoring systems to normal operation.
- Lessons Learned: Reviewing the incident to improve future response.
3. Logging, Monitoring, and Threat Hunting
- Egress Monitoring: Watching traffic leaving the network (critical for DLP).
- SIEM (Security Information and Event Management): Centralizes logs for correlation and alerting.
- SOAR (Security Orchestration, Automation, and Response): Automates the IR steps identified above.
- Threat Hunting: Proactively searching for threats that have bypassed existing security controls, rather than waiting for an alert.
4. Disaster Recovery (DR) vs. BCP
- BCP (Business Continuity Planning): Focuses on the business (keeping people working and the doors open). Long-term and strategic.
- DR (Disaster Recovery): Focuses on IT (restoring servers, data, and networks). Short-term and tactical.
- BIA (Business Impact Analysis): The first step of BCP. It identifies critical assets and determines:
- RTO (Recovery Time Objective): How quickly you need to be back up.
- RPO (Recovery Point Objective): How much data loss (in time) is acceptable.
- MTTF (Mean Time to Failure): Average time a non-repairable asset lasts.
- MTTR (Mean Time to Repair): Average time to fix a failed asset.
5. Recovery Sites
| Site Type | Cost | Readiness | Hardware Present? | Data Present? |
| Hot Site | Highest | Minutes/Hours | Yes | Yes (Mirrored) |
| Warm Site | Medium | Hours/Days | Some | No (Backups needed) |
| Cold Site | Lowest | Days/Weeks | No | No |
| Tertiary Site | High | Backup to the backup; usually in a different geographic region. |
Export to Sheets
6. Physical Security Operations
- Internal Security: Guards, dogs, and internal sensors.
- Perimeter: CCTV (used for assessment, not just detection), fencing, and lighting.
- Safety: The #1 priority in any emergency or physical security plan is Life Safety.