CISSP Domain 7 Study Guide – Comply with Investigations

ByDaniel Lutton

Mar 18, 2023
CISSP Domain 7

For many CISSP candidates, “Comply with Investigations” sounds like a legal topic that belongs to lawyers and compliance teams. In reality, IT and security professionals are often the first, last, and most critical link in any investigation—whether it’s internal misconduct, a ransomware incident, or a regulatory audit.

Domain 7 does not expect you to become a lawyer. What it does expect is that you understand how investigations work, how evidence must be handled, and how your technical decisions can make or break a case.

From my experience, most organizations fail investigations not because they were guilty—but because their logs were incomplete, evidence was mishandled, or staff panicked and altered systems. This domain is about avoiding those failures.

Types of Investigations (Know the Differences Cold)

CISSP Domain 7 identifies four investigation types, each with different standards of proof, authority, and outcomes.

1. Administrative Investigations

  • Lowest burden of proof
  • Internal to the organization
  • Focused on policy violations
  • Often conducted by HR, internal audit, or security teams

Examples:

  • Acceptable use policy violations
  • Insider data misuse
  • Privilege abuse

These investigations often precede more serious actions. Poor handling here can escalate an issue unnecessarily.

2. Criminal Investigations

  • Highest burden of proof: beyond a reasonable doubt
  • Enforced by the government
  • Violations of criminal law
  • Penalties include imprisonment and fines

From an IT perspective, criminal cases demand absolute evidence integrity. One improperly handled hard drive or altered log file can invalidate months of investigative work.

3. Civil Investigations

  • Standard of proof: preponderance of the evidence
  • Between private parties
  • Focused on liability, not punishment

Examples:

  • Breach of contract
  • Negligence claims
  • Intellectual property disputes

A key CISSP distinction: criminal cases are brought by the state; civil cases are initiated by individuals or organizations.

4. Regulatory Investigations

  • May be civil or criminal
  • Focused on compliance
  • Often industry-specific (HIPAA, GDPR, PCI DSS, SOX)

Regulators typically care less about intent and more about whether controls existed, were documented, and were followed.

Understanding Evidence: Where IT Gets It Wrong

Evidence handling is one of the most tested—and misunderstood—areas of Domain 7.

Real (Material) Evidence

  • Physical, tangible items
  • Examples: hard drives, USB devices, servers
  • Requires strict chain of custody

Important nuance: The device is the evidence, not the data itself.

Direct Evidence

  • Firsthand testimony
  • What a witness directly observed

Example: an admin testifying that they personally saw an unauthorized login.

Circumstantial Evidence

  • Indirect evidence
  • Requires inference

Logs, timestamps, and access patterns usually fall into this category—and most digital investigations rely heavily on circumstantial evidence.

Corroborating Evidence

  • Supports or strengthens other evidence
  • Multiple logs confirming the same activity

Strong cases rarely rely on a single data source.

Hearsay Evidence

  • Secondhand statements
  • Historically problematic for digital data

Modern courts increasingly accept computer-generated records, especially when systems are well-documented and access-controlled.

Best Evidence Rule

  • Original evidence is preferred
  • Copies are acceptable only when originals are unavailable

In IT terms, this is why forensic images are created and originals preserved untouched.

Documentary and Oral Evidence

  • Emails, screenshots, recordings, logs
  • Witness testimony in court

CISSP insight: Most cases use a blend of all evidence types.

The Five Rules of Evidence (Memorize and Apply)

For evidence to stand, it must be:

  1. Authentic – Proven to be what it claims to be
  2. Accurate – Free from errors or alteration
  3. Complete – Shows the full picture
  4. Convincing – Understandable and credible
  5. Admissible – Legally allowed in court

Admissibility depends on evidence being relevant, material, and competent.

Search Warrants and Exigent Circumstances

  • Search warrants require probable cause
  • Exigent circumstances allow seizure without a warrant if evidence is at risk of destruction

From experience, IT staff should never decide this themselves. Always involve legal counsel.

Electronic Discovery (e-Discovery): Where IT and Law Collide

E-discovery deals with identifying, preserving, and producing electronically stored information (ESI).

Key challenges:

  • Massive data volumes
  • Metadata preservation
  • Data sprawl across cloud, SaaS, and endpoints

Metadata—timestamps, authorship, modification history—often matters more than the document content itself.

The EDRM: A Framework CISSP Loves

The Electronic Discovery Reference Model (EDRM) provides a lifecycle view:

  1. Information Governance
  2. Identification
  3. Preservation
  4. Collection
  5. Processing
  6. Review
  7. Analysis
  8. Production
  9. Presentation

Real-world insight: Poor information governance makes every later step slower, riskier, and more expensive.

Logging and Monitoring: Your Best (and Worst) Witness

Investigations live or die by logs.

IDS and IPS

  • IDS detects suspicious activity
  • IPS actively blocks threats
  • Network-based and host-based variants

SIEM

  • Centralizes logs
  • Enables correlation
  • Critical for large environments

A SIEM without proper log sources is security theater.

Continuous Monitoring

  • Near-real-time analysis
  • Detects incidents early
  • Supports rapid investigation

Egress Monitoring and DLP

  • Detects data leaving the network
  • Prevents exfiltration
  • Supports insider threat investigations

Advanced Data Concerns: Steganography and Watermarking

Steganography

  • Data hidden within files
  • Extremely difficult to detect
  • Common in espionage and insider cases

Watermarking

  • Embeds ownership markers
  • Supports IP protection
  • Helps prove data origin

Final Thoughts: Investigations Are a Security Capability

CISSP Domain 7 doesn’t just test legal definitions—it tests whether you understand how security decisions ripple into legal consequences.

Organizations that succeed in investigations:

  • Log consistently
  • Preserve evidence correctly
  • Train staff not to panic
  • Involve legal early
  • Treat investigations as part of security—not an afterthought

If you design systems assuming they’ll one day be examined in court, you’re already operating at a CISSP level.

Related Post

CISSP Study Guide – Understanding information security laws, ethics and regulations

Daniel Lutton

CISSP Domain 3 Study Guide – Security Architecture and Engineering

Daniel Lutton

CISSP Domain 5 STudy GUIDE – Privileged Access & Identity Governance

Daniel Lutton

Leave a Reply

Your email address will not be published. Required fields are marked *

Top Posts

Sys Admin Windows 10 Windows 11

Windows 11 Update Rings and Deployment Strategy for SMB Environments

I.T Management

Why CIOs and Engineers Often Disagree on Technology Strategy

Tech Tips

How Windows 11 Handles Modern Hardware Better Than Windows 10

I.T Management

Why Your IT Architecture Is More Political Than Technical (And What That Means for Modern IT Leaders)