Appendix: Experience Mapping

Experience Mapping: Infrastructure → CISSP

This appendix maps your actual production infrastructure to CISSP exam concepts. When studying, connect abstract concepts to real systems you’ve built and operated.

CISSP Concept Your Infrastructure Domain

CISSP Concept	Your Infrastructure	Domain
PKI Certificate Hierarchy	Vault Root CA → DOMUS-ISSUING-CA → end entity certs	Domain 3
Access Control (NAC)	Cisco ISE — 26,000+ endpoints, 802.1X EAP-TLS	Domain 4, 5
Network Segmentation	VLAN architecture (10=DATA, 100=INFRA, 110=SECURITY, 999=QUARANTINE)	Domain 4
Firewall (Stateful)	VyOS HA pair with VRRP, zone-based policies	Domain 4
Identity Federation	Keycloak OIDC/SAML, FreeIPA Kerberos, AD LDAP	Domain 5
RBAC	ISE admin roles, Vault policies, AD security groups	Domain 5
MFA	YubiKey FIDO2 + SSH keys + password	Domain 5
Encryption at Rest	age-encrypted secrets, gopass GPG, LUKS disk encryption	Domain 2, 3
Encryption in Transit	EAP-TLS (802.1X), Vault TLS, SSH (Vault CA)	Domain 3, 4
SIEM	Wazuh on k3s (detection, alerting, log correlation)	Domain 6, 7
Incident Response	CHLA SOC operations, domus RCA process	Domain 7
Business Continuity	VyOS VRRP (HA failover), Vault Raft consensus	Domain 1, 7
Disaster Recovery	Borg 3-2-1 backup strategy, Seagate + Synology + M-DISC	Domain 1, 7
Change Management	domus-captures CR- and CHG- case studies	Domain 7, 8
Configuration Management	Antora docs-as-code, stow dotfiles, Ansible	Domain 7
Vulnerability Assessment	Wazuh agents, port audits (`ss -tlnp`)	Domain 6
Secure SDLC	Python CLI tools (netapi, dsec), CI/CD (Cloudflare Pages)	Domain 8
HIPAA Compliance	CHLA healthcare environment, PHI handling	Domain 1
DNS Security	BIND HA with TSIG zone transfers, RPZ content filtering	Domain 4

PKI Certificate Hierarchy

Vault Root CA → DOMUS-ISSUING-CA → end entity certs

Domain 3

Access Control (NAC)

Cisco ISE — 26,000+ endpoints, 802.1X EAP-TLS

Domain 4, 5

Network Segmentation

VLAN architecture (10=DATA, 100=INFRA, 110=SECURITY, 999=QUARANTINE)

Domain 4

Firewall (Stateful)

VyOS HA pair with VRRP, zone-based policies

Domain 4

Identity Federation

Keycloak OIDC/SAML, FreeIPA Kerberos, AD LDAP

Domain 5

RBAC

ISE admin roles, Vault policies, AD security groups

Domain 5

MFA

YubiKey FIDO2 + SSH keys + password

Domain 5

Encryption at Rest

age-encrypted secrets, gopass GPG, LUKS disk encryption

Domain 2, 3

Encryption in Transit

EAP-TLS (802.1X), Vault TLS, SSH (Vault CA)

Domain 3, 4

SIEM

Wazuh on k3s (detection, alerting, log correlation)

Domain 6, 7

Incident Response

CHLA SOC operations, domus RCA process

Domain 7

Business Continuity

VyOS VRRP (HA failover), Vault Raft consensus

Domain 1, 7

Disaster Recovery

Borg 3-2-1 backup strategy, Seagate + Synology + M-DISC

Domain 1, 7

Change Management

domus-captures CR- and CHG- case studies

Domain 7, 8

Configuration Management

Antora docs-as-code, stow dotfiles, Ansible

Domain 7

Vulnerability Assessment

Wazuh agents, port audits (ss -tlnp)

Domain 6

Secure SDLC

Python CLI tools (netapi, dsec), CI/CD (Cloudflare Pages)

Domain 8

HIPAA Compliance

CHLA healthcare environment, PHI handling

Domain 1

DNS Security

BIND HA with TSIG zone transfers, RPZ content filtering

Domain 4