CISSP Domain 7: Least Privilege, SoD & Resource Protection

On the CISSP, security operations questions come down to one move: read whether the scenario wants you to PREVENT an abuse or DETECT one, then match the exact control to that requirement. This Domain 7 deep-dive separates need-to-know from least privilege, walks separation of duties and the detective controls that catch a trusted insider, and covers resource protection and service level agreements. With Fatima, Erica, Lewis, and Beth, we cover the security-operations foundations behind 13% of the current exam, and the question-reading habits that turn ‘BEST’ and ‘MOST’ scenarios into quick, defensible picks.

In this video:

• Need-to-know (the data you may see) versus least privilege (the capability you may use)
• Privilege creep, periodic access reviews, just-in-time access, and prompt deprovisioning
• Separation of duties: why one person creating AND approving a vendor is the classic violation
• Mandatory vacation and job rotation as DETECTIVE controls, and how they differ from prevention
• Dual control and two-person integrity for the few actions you can never trust to one person
• Resource protection: media management, asset and configuration baselines, secure decommissioning, and SLAs

The next video in the series moves into logging and monitoring, where you actually catch the activity these controls are built to surface. Anchored to the (ISC)2 CISSP Detailed Content Outline effective April 15, 2024.