ISC2 CISSP: Security Operations
Table of Contents
Click Here to Return To the ISC2 CISSP Course Page
Security Operations is 13% of the ISC2 CISSP exam. This module covers the daily work of running security: monitoring systems, handling incidents, recovering from disaster, and keeping the business running. This is the operational heart of the security program, where policy meets practice.
Operations is where security lives or dies. A perfect architecture means nothing if nobody watches the logs, responds to alerts, or tests the backups. This domain teaches you to run security as an ongoing discipline, not a one-time project.
Investigations and Digital Forensics
You conduct investigations to understand what happened and to support legal action.
Evidence handling follows a strict chain of custody so evidence holds up in court. You document who collected each item, when, where, and every transfer. A break in the chain makes evidence inadmissible.
You collect evidence in order of volatility, capturing the most fragile data first:
- CPU registers and cache
- RAM and running processes
- Network connections and ARP cache
- Disk and swap files
- Logs and archived media
Investigation types differ by their standard of proof:
| Type | Standard of proof | Goal |
|---|---|---|
| Administrative | Lowest | Internal policy and HR matters |
| Civil | Preponderance of evidence | Disputes between parties |
| Criminal | Beyond a reasonable doubt | Prosecution by the state |
| Regulatory | Varies by regulator | Compliance enforcement |
Logging and Monitoring
You watch systems continuously so you detect threats before they cause harm.
- SIEM (Security Information and Event Management) collects logs from across the environment, correlates them, and alerts on suspicious patterns.
- Continuous monitoring keeps watch on controls and configurations in real time.
- Egress monitoring inspects outbound traffic to catch data exfiltration and command-and-control.
- Threat intelligence feeds known indicators into your detection so you spot known-bad activity.
- UEBA (User and Entity Behavior Analytics) baselines normal behavior and flags anomalies, like a user downloading gigabytes at 3 a.m.
# Tail authentication logs for failed logins during an investigation
grep "Failed password" /var/log/auth.log | tail -n 20
# Watch active network connections for unexpected outbound traffic
ss -tunp | grep ESTAB
You connect monitoring back to the testing in Security Assessment and Testing , where log reviews confirm your monitoring captures what you need.
Configuration Management
You control how systems are built and changed so they stay secure and consistent.
- Provisioning deploys systems from a known-good template.
- Baselining defines a secure standard configuration every system must meet.
- Automation enforces the baseline at scale so manual drift cannot creep in. Tools like Ansible keep systems in their desired state, as covered in Ansible for beginners .
Foundational Operations Concepts
These principles limit what any one person can do and reduce insider risk.
| Concept | What it does |
|---|---|
| Need-to-know | Access only the data required for a task |
| Least privilege | The minimum rights to do the job |
| Separation of duties (SoD) | Split critical tasks so no one person controls a whole process |
| Privileged account management | Tightly control and monitor admin accounts |
| Job rotation | Move people through roles to detect fraud |
| Mandatory vacation | Force time off so hidden fraud surfaces |
Incident Management
You follow a repeatable lifecycle for every incident so response is fast and consistent.
- Detection identifies a possible incident from alerts or reports.
- Response activates the team and contains the initial damage.
- Mitigation stops the incident from spreading further.
- Reporting notifies stakeholders, regulators, and law enforcement as required.
- Recovery restores affected systems to normal operation.
- Remediation removes the root cause so it cannot happen again.
- Lessons learned reviews the incident to improve the process.
Detection and Preventative Measures
You operate layered defenses that detect and block threats.
- Firewalls filter traffic by rules at network boundaries.
- IDS/IPS detect (IDS) or detect and block (IPS) malicious traffic.
- Sandboxing runs untrusted code in isolation to study its behavior safely.
- Honeypots are decoy systems that lure and study attackers.
- Anti-malware blocks known and behavior-based threats on endpoints.
- AI-based tools detect novel threats by learning normal behavior, a fast-moving area covered in the state of AI in cybersecurity .
Recovery, Disaster Recovery, and Continuity
You plan for failure so the business survives it. Two metrics drive every recovery decision:
| Metric | Defines |
|---|---|
| RTO (Recovery Time Objective) | How fast you must restore a system |
| RPO (Recovery Point Objective) | How much data you can afford to lose |
You choose a recovery site based on cost and speed:
| Site type | Ready in | Cost |
|---|---|---|
| Hot site | Minutes to hours | Highest |
| Warm site | Hours to days | Medium |
| Cold site | Days to weeks | Lowest |
Backup strategies balance speed and storage. A full backup is complete but slow. Incremental backups are fast but slower to restore. The 3-2-1 rule keeps three copies on two media types with one offsite.
You test Business Continuity (BC) plans with increasing realism:
- Read-through of the plan on paper
- Tabletop discussion of a scenario
- Walkthrough step by step
- Simulation of a realistic event
- Parallel test running the backup site alongside production
- Full interruption that fails over completely, the most thorough and most disruptive
Physical Security and Personnel Safety
You protect facilities and people because human life always takes priority over assets. You use access controls, cameras, lighting, and guards, and you plan for evacuation and safety. You also watch for insider threats, using behavior analytics and separation of duties to catch malicious or careless employees.
Next Steps
Finish the course with Software Development Security , then ground operations in Security and Risk Management and verify controls with Security Assessment and Testing . Return to the ISC2 CISSP Course .
