EXAM FOCUS (Domain 7): CISSP tests operational judgment—what you do first, what evidence you protect, which control reduces blast radius, and which metric proves recovery. If you see “incident + logs + legal,” think evidence handling. If you see “downtime + restore,” think RTO/RPO and recovery strategy. If you see “admin access,” think least privilege + PAM + separation of duties. Domain 7 is the operational execution layer of the CISSP Common Body of Knowledge, where security architecture and policy are translated into real-world action. It focuses on day-to-day security operations such as monitoring, investigations, incident response, resource protection, and recovery under pressure. CISSP evaluates your ability to apply sound judgment in live scenarios—what to do first, how to contain damage, how to preserve evidence, and how to restore operations without increasing risk. Security operations are not static controls but a continuous cycle of detection, response, and improvement, and every action taken must be legally defensible, auditable, and aligned with business priorities.
7.0 Understand and comply with investigations. In the event of a security incident, securing the scene is the first and most critical step. Failure to stabilize systems and restrict access immediately can compromise evidence integrity and invalidate the entire investigation. Once evidence is altered or contaminated, it cannot be restored to a legally acceptable state.
Legal Standards for Investigators
CISSP expects familiarity with the legal thresholds governing investigations:
Burden of Proof: The obligation on the investigator to present sufficient evidence to support a claim or conclusion.
Preponderance of Evidence: Common in civil cases; indicates that a claim is more likely than not (>50%). This is a lower standard than criminal proof beyond a reasonable doubt.
The Forensic Investigation Process
Improper handling at any stage can result in evidence being ruled inadmissible:
Identification and Securing
Establish control over systems and document evidence locations.
Risk: Evidence tampering or loss before collection.Collection
Acquire evidence while preserving integrity and maintaining chain of custody.
Risk: Broken custody invalidates evidence.Examination
Review collected data for relevant artifacts.
Risk: Missing secondary systems or indicators of compromise.Analysis
Correlate findings and determine cause, scope, and impact.
Risk: Incorrect conclusions or attribution.Reporting
Document findings clearly for legal, regulatory, or management review.
Risk: Unclear or overly technical reports reduce evidentiary value.
The Five Rules of Evidence
Rule | Description | CISSP Relevance |
|---|---|---|
Authentic | Evidence is genuine | Proven via hashes and documentation |
Accurate | Evidence maintains integrity | Tools must not alter originals |
Complete | All relevant evidence included | Avoid selective disclosure |
Convincing | Evidence supports conclusions | Must be understandable and credible |
Admissible | Legally obtained and handled | Chain of custody is mandatory |
Chain of Custody Evidence must be documented from collection through presentation. Any unexplained gap renders the evidence unreliable.
Digital Forensic Techniques and Evidence
Live Evidence: Volatile data such as RAM and running processes; must be captured first.
Forensic Copies: Bit-for-bit images used for all analysis; originals are preserved.
Media Analysis: Recovery of data beyond file system structures.
Software Analysis: Understanding application or malware behavior for impact assessment.
Challenges of Mobile Forensics
Rapid OS and hardware changes
Limited tool interoperability
Application sandboxing and encryption
High skill and training requirements
eDiscovery eDiscovery is the formal identification, preservation, collection, and production of electronically stored information (ESI) for legal or regulatory proceedings. EXAM RULE: Forensic handling must be repeatable, documented, and legally defensible. “Best effort” is not acceptable.
7.1 Conduct Logging and Monitoring Activities Logging and monitoring provide the visibility required to detect security events, support investigations, and demonstrate control effectiveness. In CISSP, these capabilities are evaluated as operational and governance controls, not as tool-specific implementations.
Security Information and Event Management (SIEM)
SIEM systems convert large volumes of raw log data into actionable security intelligence. Core SIEM Capabilities
Aggregation: Centralized collection of logs from multiple sources (servers, network devices, IDS/IPS, DLP).
Normalization: Standardizing disparate log formats for consistent analysis.
Correlation: Identifying relationships between events across systems to detect attacks.
Secure Storage: Protecting logs from alteration after ingestion.
Analysis: Applying rules and analytics to identify suspicious patterns.
Reporting: Generating alerts and summaries for investigation and escalation.
CISSP Insight: SIEM does not prevent attacks; it detects, supports response, and provides evidence.
Advanced Detection: UEBA and Threat Intelligence User and Entity Behavior Analytics (UEBA) UEBA detects insider threats and compromised accounts by identifying deviations from established behavioral baselines (e.g., abnormal access times, unusual data access patterns). Threat Intelligence Actionable threat intelligence from trusted sources (ISACs, vendors, government feeds) enables proactive defense by identifying emerging attack techniques, indicators of compromise (IOCs), and threat actor behavior. CISSP Insight: Threat intelligence is only valuable if it drives detection, prevention, or response decisions.
The Continuous Monitoring Lifecycle
Monitoring is not static; it is a continuous improvement loop:
Define security objectives and metrics
Establish monitoring infrastructure
Implement tools and processes
Analyze and report results
Respond to detected threats
Review and refine controls
Effective monitoring depends on configuration and asset management. You cannot monitor effectively if the secure baseline is undefined.
Log Integrity, Retention, and Legal Hold
Log Integrity
Logs must be protected against tampering using access controls, hashing, digital signatures, and write-once storage where applicable.Log Retention
Retention periods are policy-driven and influenced by regulatory, legal, and operational requirements.Legal Hold
When litigation or investigation is anticipated, relevant logs and data must be preserved:No rotation or overwriting
Restricted access
Documented handling and custody
EXAM RULE If a scenario mentions court, investigation, regulator, or admissible evidence, your answer must address: • Log integrity • Chain of custody • Legal hold Failure to include these means the answer is incomplete.
7.2 Perform configuration management Provisioning and Configuration Management (CM) reduce operational risk by enforcing secure baselines and hardening systems from deployment through retirement. In CISSP, configuration management is evaluated as a preventive and detective control that limits attack surface and enables consistent operations.
Foundational Security Operations Concepts
Need to Know / Least Privilege
Access is granted strictly based on job requirements. Limiting access reduces lateral movement and minimizes blast radius during compromise.Separation of Duties (SoD)
Critical tasks are divided across multiple roles to prevent fraud, abuse, and concealment of malicious activity.Privileged Account Management (PAM)
Administrative accounts (root, admin) represent the highest risk and must be tightly controlled using MFA, session monitoring, and restricted use.Job Rotation
Periodic role changes increase transparency and help detect errors, misconfigurations, or fraudulent behavior.Service Level Agreements (SLAs)
SLAs define contractual performance and response expectations, ensuring operational security aligns with business requirements.
CISSP Insight: Most operational breaches succeed because baseline controls were not enforced consistently, not because tools were missing.
Resource Protection and Media Management Every asset must have a clearly assigned owner responsible for its protection throughout its lifecycle.
Media Evaluation Checklist
Confidentiality: Can required encryption and access controls be enforced?
Portability: How easily can the media be removed or lost?
MTBF (Mean Time Between Failure): Is the reliability appropriate for the data value?
Durability: Can the media withstand its operating and storage environment?
Sanitization: Is there a verified, documented end-of-life destruction process?
No configuration remains secure indefinitely. All environments must assume eventual compromise, which makes incident management inevitable.
7.3 Incident Management and Response (IR) An event is any observable occurrence. An incident is an event that violates policy or threatens confidentiality, integrity, or availability. This distinction determines when the Incident Response (IR) process is activated.
The Incident Response Lifecycle
Prepare
Establish procedures, train personnel, and acquire tools before incidents occur.Detect
Use monitoring tools (SIEM, IDS/IPS) to identify adverse events.Respond
Activate the IR team and assess scope and impact.Mitigate
Contain the incident to prevent further damage. Permanent fixes come later.Report
Communicate with stakeholders and regulators as required.Recover
Restore systems to normal operations.Remediate
Address the root cause to prevent recurrence.Learn
Conduct post-incident reviews to improve controls and response maturity.
CISSP Insight: Containment always comes before eradication.
Detection and Incident Mapping
Detection Mechanism | Typical Incidents |
|---|---|
IDS / IPS | External attacks |
SIEM | System anomalies |
DLP | Insider data exfiltration |
Anti-Malware | Viruses, worms, ransomware |
Administrative Review | Human error or fraud |
Physical Controls | Safety incidents or breaches |
Event vs Incident • Event: Logged occurrence or alert • Incident: Event requiring response due to policy or CIA impact
EXAM RULE (High Confidence) If a question asks FIRST, IMMEDIATE, or BEST INITIAL ACTION: • Prioritize containment • Preserve evidence • Delay root-cause analysis unless life or safety is at risk
7.4 Malware Taxonomy and Anti-Malware Defenses Malware has evolved from simple, user-triggered code into adaptive, evasive threats designed to bypass traditional controls. In CISSP, malware is evaluated based on behavior, propagation method, and defensive response, not historical definitions.
Malware Classification (Recognition Level)
Virus
Requires user interaction to execute and spread.Worm
Self-propagates by exploiting vulnerabilities without user involvement.Trojan Horse
Disguised as legitimate software while delivering malicious payloads.Ransomware
Encrypts data or systems to extort payment.Logic Bomb
Executes when specific conditions are met (time, event, state).Botnet
A group of compromised systems remotely controlled by an attacker.Polymorphic Malware
Alters code or signatures during replication to evade detection.Zero-Day Malware
Exploits unknown vulnerabilities before vendor patches exist.
Malware Functional Buckets (Exam-Useful Mental Model) • Delivery: Trojan, macro malware, drive-by downloads • Propagation: Worms, file-infecting viruses • Stealth: Rootkits, polymorphic malware • Impact: Ransomware, logic bombs CISSP Insight: Classification matters only to determine detection and containment strategy.
Detection and Response Strategies
Signature-Based Detection
Matches known malware fingerprints.
Limitation: Ineffective against zero-day threats and requires frequent updates.Heuristic / Behavioral Detection
Analyzes behavior patterns or suspicious logic.
Primary defense against zero-day malware.ML / AI-Driven Detection
Uses statistical and behavioral models to predict threats and automate response.
EXAM RULE: Do not describe malware. Explain how it is detected, isolated, contained, and recovered (EDR, segmentation, IOC blocking, restore).
7.5 Implement and support patch and vulnerability management Uncontrolled change leads to "security drift," where configurations weaken over time.
The 8-Step Change Management Process
Request: Formally ask for a change using management software.
Assess Impact: Determine how the change affects security and performance.
Approval: Management gives the green light based on the impact assessment.
Build and Test: Always test in a non-production environment first.
Notification: Inform stakeholders before implementing the change.
Implement: Roll out the change.
Validation: Ensure the change worked as intended and senior management is notified.
Version/Baseline: Update documentation and baselines to reflect the new "normal."
Patch Management Methods
Agent: Software installed on each device handles the update.
Agentless: A central server connects remotely to devices to push updates.
Passive: Monitoring network traffic to infer which systems are unpatched.
7.6 Recovery Strategies and Redundancy When operations fail, the system must enter a "Failure Mode."
Failure Modes Comparison
Mode | Description | Strategy |
|---|---|---|
Fail-Open (Fail-Soft) | Drops security to maintain flow (e.g., firewall allows all). | Prioritizes Availability. |
Fail-Closed (Fail-Secure) | Blocks everything to maintain security (e.g., firewall blocks all). | Prioritizes Security. |
Fail-Safe | Automatically unlocks doors in a fire. | Prioritizes Human Life. |
High Availability (RAID) • RAID 0 (Striping): Speed only. So What? Zero redundancy; if one drive dies, all data is lost. • RAID 1 (Mirroring): Redundancy only. So What? Very reliable but doubles your storage costs. • RAID 5 (Parity): Uses a parity bit computed via XOR operation. So What? A cost-effective balance of speed and redundancy (min 3 disks). • RAID 10 (Mirroring + Striping): So What? The most expensive but offers the best performance for high-transaction databases.
Backup Strategies and the Archive Bit The Archive Bit (0 = backed up; 1 = modified/needs backup). • Incremental: Backs up changes since the last incremental backup. Resets bit to 0. (Least storage). • Differential: Backs up changes since the last full backup. Leaves bit at 1. (Faster restore than incremental). • Mirror: Exact, uncompressed copies. Fastest to restore but highest storage cost.
7.7 Implement Disaster Recovery (DR) Processes Business Continuity Management (BCM) is the overarching management process. BCP focuses on sustaining business processes, while DRP focuses on restoring technical infrastructure. CISSP tests your ability to distinguish business survival from IT recovery.
Business Impact Analysis (BIA)
The BIA is the foundation of BCP and DRP. It identifies critical business functions, acceptable downtime, and recovery priorities. Systems supporting the most critical processes are restored first, not the easiest or cheapest ones.
Time-Based Metrics (High-Yield Exam Area)
RPO (Recovery Point Objective)
Maximum tolerable data loss, measured in time.RTO (Recovery Time Objective)
Maximum tolerable system downtime to reach an acceptable service level.WRT (Work Recovery Time)
Time required after systems are restored to verify data integrity and resume operations.MTD / MAD (Maximum Tolerable Downtime)
Absolute business failure threshold. Exceeding this means the organization cannot survive.
EXAM RULE: BIA drives restoration order. Technology does not determine priority — business impact does.
Recovery Site Strategies
Site Type | Recovery Time | Cost | Description |
|---|---|---|---|
Cold Site | Long | Low | Facility only; no systems or data |
Warm Site | Moderate | Moderate | Some hardware and connectivity |
Hot Site | Short | High | Fully equipped and data-ready |
Mirrored Site | Immediate | Extreme | Real-time replica of production |
CISSP Insight: Hot ≠ Mirrored. Mirrored sites provide near-zero RTO and RPO.
Disaster Recovery Plan (DRP) Testing Types
Test Type | Description | Affects Production |
|---|---|---|
Read-through | Desk review for completeness | No |
Walkthrough | Stakeholders simulate actions | No |
Simulation | Scenario-based exercise | No |
Parallel | Recovery site tested alongside production | No |
Full-Interruption | Production shutdown | Yes |
EXAM RULE: Full-interruption testing provides the highest confidence but carries the highest risk.
DR Strategy Mapping • RPO → acceptable data loss • RTO → acceptable downtime • MTD / MTTR → business survival limits • Hot / Warm / Cold Sites → speed vs cost trade-off EXAM RULE: If asked “Which recovery site?” Choose based on RTO and RPO, not cost.
Final Exam Takeaways • Evidence integrity is irreversible once compromised. • Chain of custody must be continuous and documented (Tag, Bag, Carry). • Live evidence (RAM) must be captured before shutdown. • An event is observable; an incident threatens CIA or policy. • During incidents, containment comes before root cause analysis. • Heuristic detection is critical for zero-day malware. • RAID improves availability, not backup or security. • BIA determines recovery order — not IT preference. • Fail-safe controls always prioritize human life.