6.5.2
|
External
|
15
|
|
6.5.3
|
Third-party
|
15
|
|
Domain 7
|
Security Operations
|
|
|
7.1
|
Understand and comply with investigations
|
19
|
|
7.1.1
|
Evidence collection and handling
|
19
|
|
7.1.2
|
Reporting and documentation
|
19
|
|
7.1.3
|
Investigative techniques
|
19
|
|
7.1.4
|
Digital forensics tools, tactics, and procedures
|
19
|
|
7.1.5
|
Artifacts (e.g., computer, network, mobile device)
|
19
|
|
7.2
|
Conduct logging and monitoring activities
|
17, 21
|
|
7.2.1
|
Intrusion detection and prevention
|
17
|
|
7.2.2
|
Security Information and Event Management (SIEM)
|
17
|
|
7.2.3
|
Continuous monitoring
|
17
|
|
7.2.4
|
Egress monitoring
|
17
|
|
7.2.5
|
Log management
|
17
|
|
7.2.6
|
Threat intelligence (e.g., threat feeds, threat hunting)
|
17
|
|
7.2.7
|
User and Entity Behavior Analytics (UEBA)
|
21
|
|
7.3
|
Perform Configuration Management (CM) (e.g., provisioning, baselining, automation)
|
16
|
|
7.4
|
Apply foundational security operations concepts
|
16
|
|
7.4.1
|
Need-to-know/least privilege
|
16
|
|
7.4.2
|
Separation of Duties (SoD) and responsibilities
|
16
|
|
7.4.3
|
Privileged account management
|
16
|
|
7.4.4
|
Job rotation
|
16
|
|
7.4.5
|
Service Level Agreements (SLA)
|
16
|
|
7.5
|
Apply resource protection
|
16
|
|
7.5.1
|
Media management
|
16
|
|
7.5.2
|
Media protection techniques
|
16
|
|
7.6
|
Conduct incident management
|
17
|
|
7.6.1
|
Detection
|
17
|
|
7.6.2
|
Response
|
17
|
|
7.6.3
|
Mitigation
|
17
|
|
7.6.4
|
Reporting
|
17
|
|
7.6.5
|
Recovery
|
