Phase 7: Domain 7 — Security Operations

Phase 7: Domain 7 — Security Operations (13%)

Timeline: May 17-20 (Week 7, first half)

Maps to your SIEM, incident response, and disaster recovery experience. Wazuh, Borg backups, VyOS VRRP HA — real operational experience.

Key Concepts

Incident Response

Phases (memorize in order):

Preparation — IR plan, team, tools, training
Detection and Analysis — SIEM alerts (your Wazuh), indicators of compromise
Containment — Short-term (isolate), long-term (patch, rebuild)
Eradication — Remove root cause, malware, compromised accounts
Recovery — Restore from backup (your Borg), validate, monitor
Post-Incident Activity — Lessons learned, update procedures (your RCA process)

Evidence Handling

Chain of custody — document every transfer
Forensic imaging — bit-for-bit copy, hash verification
Order of volatility: registers → cache → RAM → disk → logs → archives
Legal hold — preserve evidence for litigation

Disaster Recovery

Site Type	Recovery Time	Your Mapping
Hot site	Minutes to hours	VyOS VRRP (automatic failover)
Warm site	Hours to days	Secondary KVM host (kvm-02)
Cold site	Days to weeks	Borg backup restore to new hardware
Cloud site	Variable	Cloudflare Pages (doc failover)

Site Type

Recovery Time

Your Mapping

Hot site

Minutes to hours

VyOS VRRP (automatic failover)

Warm site

Hours to days

Secondary KVM host (kvm-02)

Cold site

Days to weeks

Borg backup restore to new hardware

Cloud site

Variable

Cloudflare Pages (doc failover)

RTO (Recovery Time Objective) — max acceptable downtime
RPO (Recovery Point Objective) — max acceptable data loss
MTD (Maximum Tolerable Downtime) — beyond this, business fails
MTBF (Mean Time Between Failures) — reliability metric
MTTR (Mean Time To Repair) — recoverability metric

Operations Security

Need-to-know and least privilege (your Vault policies)
Separation of duties and dual control
Job rotation and mandatory vacations (fraud detection)
Patch management and vulnerability management
Change management (your CR process in domus-captures)
Configuration management (your Antora docs-as-code)

Physical Security Operations

Perimeter security, access control, surveillance
Environmental controls (fire, water, HVAC)
Personnel safety — always FIRST priority

Practice Questions

25 questions/day — your operational experience gives you an edge here.

Check	Status
Read Study Guide Chapters 16-17 (Operations)	[ ]
Watch Destination Certification MindMap — Domain 7	[ ]
IR phases memorized (6 phases in order)	[ ]
Evidence handling and chain of custody understood	[ ]
DR site types and metrics memorized (RTO, RPO, MTD, MTBF, MTTR)	[ ]
Mapped Wazuh/Borg/VyOS to Domain 7 concepts	[ ]
25+ practice questions completed (Domain 7)	[ ]

Check

Status

Read Study Guide Chapters 16-17 (Operations)

[ ]

Watch Destination Certification MindMap — Domain 7

[ ]

IR phases memorized (6 phases in order)

[ ]

Evidence handling and chain of custody understood

[ ]

DR site types and metrics memorized (RTO, RPO, MTD, MTBF, MTTR)

[ ]

Mapped Wazuh/Borg/VyOS to Domain 7 concepts

[ ]

25+ practice questions completed (Domain 7)

[ ]