5.10. Reflection Checkpoint
Key Takeaways
Before proceeding to Phase 6, ensure you can:
- Implement secure baselines and explain how configuration management prevents drift
- Select appropriate hardening techniques for different targets (mobile, server, IoT, cloud)
- Design a vulnerability management program from scanning through remediation validation
- Describe the role of SIEM in aggregating, correlating, and alerting on security events
- Compare EDR, XDR, DLP, NAC, and UBA — what each does and when to deploy it
- Apply the correct access control model (MAC, DAC, RBAC, ABAC) for a given scenario
- Explain the incident response lifecycle and what happens at each phase
- Select the appropriate data source to answer a specific investigative question
- Articulate the benefits and risks of security automation and SOAR
Connecting Forward
Phase 6 covers the management and governance layer that sits above all operations: how risk is quantified and managed, how third-party risk is assessed, how compliance is maintained, and how security awareness programs protect against the human element. Operations (Phase 5) tells you how to do security work; governance (Phase 6) tells you which work to prioritize and how to prove you're doing it.
Self-Check Questions
-
A vulnerability scanner reports a CVSS 9.8 critical vulnerability on an isolated test server that processes no production data. A separate scan shows a CVSS 6.5 vulnerability on your internet-facing payment API. Which should you patch first, and why?
-
An employee reports receiving a suspicious email. Describe the automated workflow that a SOAR platform might execute, from email analysis through containment.
-
During an incident, an analyst powered on a suspect workstation that had been shut down by the attacker to examine it. What forensic principle did the analyst violate, and what evidence might have been lost?
