Quick review: Security Operations – ISC2 CC

What you really need to know

Security operations are the daily activities that keep systems, data, networks and services secure. For ISC2 CC, you need to understand that security is not only design or incident response: it must be managed every day through controls, procedures, monitoring and continuous maintenance.

Security operations include activities such as logging, monitoring, patching, hardening, backups, vulnerability management, change management and operational access control.

Key concepts

• Security operations: daily activities to keep systems and services secure.
• Logging: recording of events and activities.
• Monitoring: continuous observation of systems, networks and anomalies.
• Hardening: reduction of the attack surface.
• Patching: application of updates and security fixes.
• Backup: copy of data to support recovery.
• Change management: controlled management of changes.
• Vulnerability management: identification, assessment and treatment of vulnerabilities.
• Baseline: normal reference configuration or behavior.
• Alerting: generation of alerts when important events are detected.
• Operational procedures: documented procedures for recurring activities.

Differences not to confuse

Concept	Main meaning
Logging	Records events
Monitoring	Observes events and anomalies
Alerting	Notifies when something requires attention
Hardening	Reduces the attack surface
Patching	Fixes known vulnerabilities
Backup	Supports data recovery
Change management	Controls changes
Vulnerability management	Manages vulnerabilities over time
Baseline	Normal reference state
Operational procedures	Documented steps for repeatable activities

Logging

Logging consists of recording events and activities that occur on systems, applications, networks and devices.

Examples of useful logs:

• successful and failed access attempts;
• configuration changes;
• administrative activities;
• system errors;
• security events;
• suspicious traffic;
• permission changes;
• activity on sensitive files.

Logs are important because they help detect problems, reconstruct events, support audits, investigations and incident response.

Monitoring

Monitoring consists of observing systems, networks, applications and behaviors to identify anomalies or suspicious activity.

Examples:

• anomalous network traffic;
• unusual usage spikes;
• access from unusual locations;
• repeated login failures;
• suspicious processes;
• unauthorized changes;
• outdated endpoints;
• unreachable systems.

For ISC2 CC, you need to remember that logging and monitoring are connected, but not identical: logging records, monitoring observes and analyzes.

Alerting

Alerting is used to notify when an event requires attention.

A good alert must be useful, understandable and prioritized. Too many useless alerts can cause alert fatigue, meaning operators lose attention.

Example: a single failed login may not be serious, but hundreds of failed logins in a few minutes may indicate a brute force attack.

Hardening

Hardening consists of making a system more secure by reducing unnecessary services, configurations and features.

Examples of hardening:

• disabling unnecessary services;
• closing unnecessary ports;
• removing unused accounts;
• applying secure configurations;
• limiting administrative privileges;
• disabling insecure protocols;
• correctly configuring firewalls and access;
• using security baselines.

The goal is to reduce the attack surface.

Patching

Patching consists of applying updates and fixes, especially for known vulnerabilities.

An unpatched system can become a weak point exploitable by malware, attackers or automated exploits.

A good patching process includes:

• identifying available updates;
• assessing criticality and impact;
• testing when necessary;
• planning deployment;
• installing the patch;
• verifying that the system works correctly.

For ISC2 CC, you need to remember that patching is a fundamental operational activity, but it must be managed in a controlled way.

Backup

Backups are used to recover data and systems after errors, failures, deletions, ransomware or other incidents.

A backup is useful only if:

• it is performed regularly;
• it is protected from unauthorized access;
• it is stored securely;
• it is tested;
• it can be restored within timeframes compatible with service needs.

A common mistake is thinking that having a backup automatically means being able to recover. In reality, backups must be verified and tested.

Change management

Change management is used to manage changes in a controlled way.

Examples of changes:

• updating a system;
• changing a firewall configuration;
• modifying permissions;
• installing software;
• replacing components;
• updating an application;
• modifying an access policy.

The purpose is to reduce errors, outages and risks caused by unplanned or unauthorized changes.

A change management process may include request, assessment, approval, testing, implementation, documentation and review.

Vulnerability management

Vulnerability management is the continuous process of identifying, assessing, prioritizing and treating vulnerabilities.

It includes:

• vulnerability scans;
• criticality assessment;
• impact analysis;
• prioritization;
• patching;
• temporary mitigations;
• verification of remediation;
• reporting and tracking.

The key point is that vulnerabilities must not only be found: they must be managed and corrected based on risk.

Baseline

A baseline is a normal state or reference configuration.

It can indicate:

• secure standard configuration;
• normal traffic behavior;
• average resource usage;
• approved settings;
• normally active services.

Baselines help recognize anomalies. If a system behaves very differently from normal, there may be an operational or security problem.

Operational procedures

Operational procedures make daily activities repeatable and controllable.

Examples:

• account creation procedure;
• access revocation procedure;
• backup procedure;
• patching procedure;
• escalation procedure;
• alert management procedure;
• recovery procedure;
• hardening checklist.

Procedures reduce errors, improvisation and dependence on individual people.

Common quiz mistakes

• Confusing logging and monitoring.
• Thinking that backups are useful even if they are not tested.
• Thinking that patching is always immediate and risk-free.
• Forgetting that changes must be approved and documented.
• Confusing hardening with monitoring.
• Thinking that vulnerability management only means running a scan.
• Forgetting that baselines help recognize anomalies.
• Thinking that operational procedures are less important than technical controls.
• Ignoring the risk of alert fatigue.

Mini exam scenario

An administrator needs to modify a firewall rule in production. Before applying the change, they open a request, document the reason, obtain approval, plan the intervention and verify the result after implementation.

This is a change management activity, because the change is managed in a controlled way to reduce errors and operational risks.

Mini checklist before the quiz

Before starting the quiz, you should be able to explain:

• the difference between logging and monitoring;
• why alerts must be prioritized;
• what hardening means;
• why patching is important;
• why backups must be tested;
• what change management is used for;
• what vulnerability management includes;
• what baseline means;
• why operational procedures are important;
• why security must be maintained every day.