Security Operations
Operations is the day-to-day work of keeping a system secure, and the question is always which job a scenario belongs to
The other domains tell you what good security looks like; this one is the daily grind of running it. Picture the same laptop full of customer records on four different days: one day you are encrypting it and deciding how long to keep the records, another you are stripping unused services off it, another you are writing down the rule for who may carry it home, another you are teaching its owner not to click a phishing link. Those are the four jobs of security operations: protect the data, harden the system, codify the rule, and train the person. Almost every question in this domain is really asking which of those four owns the scenario, and the classic trap is to mix two of them: a policy is a written rule, hardening is a setting on the machine, and awareness is a habit in the user's head, so 'the laptop should be encrypted' is a data-security control, 'encryption is required by company rule' is a policy, and 'the user knows to encrypt it' is awareness. Name the job first and the right answer usually follows.
The domain unfolds in four jobs: data, then systems, then rules, then people
Read this page as a map, then follow the four subtopics in order. Data Security protects the information itself, covering encryption versus hashing, the three data states and how to destroy data for good, plus the logging and monitoring that record what happened. System Hardening keeps the machine in a known-good state by shrinking its attack surface, holding it to an approved baseline, and applying patches on a schedule. Security Policies are the written rules that say what is allowed, naming the everyday policies (acceptable use, password, BYOD (bring your own device), data handling, privacy, change management) and the change-management cycle that makes a change reversible. Security Awareness Training closes the loop on the human layer, teaching staff to spot social engineering and practice good password habits. Each subtopic carries the mechanisms, the figures, and the traps; this page just shows how they fit together.
When two answers both work, prefer the documented, repeatable, least-functionality choice
Across all four jobs the exam rewards the same instinct: the secure way is the disciplined, written-down way, and a system should do only what it actually needs. That means classify data before you decide how to handle it, hold systems to an approved baseline instead of letting each admin tweak by hand, run every change through change control with a rollback plan rather than fixing it live, and turn off any service, port, or account a system does not use. The least-functionality, documented, reversible option is the right answer far more often than the clever or convenient one, and each subtopic shows where the genuine exceptions live.
The four jobs of security operations (and where each is covered)
| Job | Protects | Key ideas | Drill into |
|---|---|---|---|
| Data | The information itself | Encryption vs hashing, three data states, sanitization, logging & monitoring | Data Security |
| System | The machine's known-good state | Attack surface, baseline, patch cycle, least functionality | System Hardening |
| Rules | What people are allowed to do | AUP, password, BYOD, data handling, privacy, change management | Security Policies |
| People | The human layer | Social engineering, phishing types, password hygiene, MFA | Security Awareness Training |