Last Updated on October 26, 2022 by InfraExam
CISM : Certified Information Security Manager : Part 73
Which of the following helps to ensure that the appropriate resources are applied in a timely manner after an incident has occurred?
- Initiate an incident management log.
- Define incident response teams.
- Broadcast an emergency message.
- Classify the incident.
The MOST important reason to use a centralized mechanism to identify information security incidents is to:
- comply with corporate policies.
- prevent unauthorized changes to networks.
- detect threats across environments.
- detect potential fraud.
After a server has been attacked, which of the following is the BEST course of action?
- Conduct a security audit
- Review vulnerability assessment
- Isolate the system
- Initiate incident response
An employee has just reported the loss of a personal mobile device containing corporate information. Which of the following should the information security manager do FIRST?
- Disable remote access
- Initiate a device reset
- Initiate incident response
- Conduct a risk assessment
An organization experienced a data breach and followed its incident response plan. Later it was discovered that the plan was incomplete, omitting a requirement to report the incident to the relevant authorities. In addition to establishing an updated incident response plan, which of the following would be MOST helpful in preventing a similar occurrence?
- Attached reporting forms as an addendum to the incident response plan
- Management approval of the incident reporting process
- Ongoing evaluation of the incident response plan.
- Assignment of responsibility for communications.
An audit has determined that employee use of personal mobile devices to access the company email system is resulting in confidential data leakage. The information security manager’s FIRST course of action should be to:
- treat the situation as a security incident to determine appropriate response
- implement a data leakage prevention tool to stem further loss.
- isolate the mobile devices on the network for further investigation.
- treat the situation as a new risk and update the security risk register.
Which of the following is the MOST important criterion for complete closure of a security incident?
- Level of potential impact
- Root-cause analysis and lessons learned
- Identification of affected resources
- Documenting and reporting to senior management
An incident response team has determined there is a need to isolate a system that is communicating with a known malicious host on the Internet.
Which of the following stakeholders should be contacted FIRST?
- Executive management
- System administrator
- Key customers
- The business owner
Which of the following is the MOST effective way to detect information security incidents?
- Providing regular and up-to-date training for the incident response team
- Establishing proper policies for response to threats and vulnerabilities
- Performing regular testing of the incident response program
- Educating and users on threat awareness and timely reporting
Which of the following is MOST important to verify when reviewing the effectiveness of response to an information security incident?
- Lessons learned have been implemented.
- Testing has been completed on time.
- Test results have been properly recorded.
- Metrics have been captured in a dashboard.
Which of the following is a security manager’s FIRST priority after an organization’s critical system has been compromised?
- Implement improvements to prevent recurrence.
- Restore the compromised system.
- Preserve incident-related data.
- Identify the malware that compromised the system.
The PRIMARY focus of a training curriculum for members of an incident response team should be:
- specific role training
- external corporate communication
- security awareness
- technology training
The BEST way to ensure that frequently encountered incidents are reflected in the user security awareness training program is to include:
- results of exit interviews
- previous training sessions.
- examples of help desk requests.
- responses to security questionnaires.
Which of the following is MOST important for the effectiveness of an incident response function?
- Enterprise security management system and forensic tools.
- Establishing prior contacts with law enforcement
- Training of all users on when and how to report
- Automated incident tracking and reporting tools
Which of the following is the MOST important reason to consider the role of the IT service desk when developing incident handling procedures?
- Service desk personnel have information on how to resolve common systems issues.
- The service desk provides a source for the identification of security incidents.
- The service desk provides information to prioritize systems recovery based on user demand.
- Untrained service desk personnel may be a cause of security incidents.
A user reports a stolen personal mobile device that stores sensitive corporate data. Which of the following will BEST minimize the risk of data exposure?
- Wipe the device remotely.
- Remove user’s access to corporate data.
- Prevent the user from using personal mobile devices.
- Report the incident to the police.
Which of the following is the PRIMARY responsibility of the designated spokesperson during incident response testing?
- Communicating the severity of the incident to the board
- Establishing communication channels throughout the organization
- Evaluating the effectiveness of the communication processes
- Acknowledging communications from the incident response team
Which of the following BEST contributes to the successful management of security incidents?
- Established procedures
- Established policies
- Tested controls
- Current technologies
After the occurrence of a major information security incident, which of the following will BEST help an information security manager determine corrective actions?
- Calculating cost of the incident
- Conducting a postmortem assessment
- Preserving the evidence
- Performing am impact analysis
Which of the following metrics is MOST appropriate for evaluating the incident notification process?
- Average total cost of downtime per reported incident
- Average number of incidents per reporting period
- Elapsed time between response and resolution
- Elapsed time between detection, reporting and response