Last Updated on October 26, 2022 by InfraExam
CISM : Certified Information Security Manager : Part 76
An information security manager is reviewing the organization’s incident response policy affected by a proposed public cloud integration. Which of the following will be the MOST difficult to resolve with the cloud service provider?
- Accessing information security event data
- Regular testing of incident response plan
- Obtaining physical hardware for forensic analysis
- Defining incidents and notification criteria
Which of the following should be communicated FIRST to senior management once an information security incident has been contained?
- Whether the recovery time objective was met
- A summary of key lessons learned from the incident
- The initial business impact of the incident
- Details on containment activities
Which of the following is the PRIMARY goal of an incident response team during a security incident?
- Ensure the attackers are detected and stopped
- Minimize disruption to business-critical operations
- Maintain a documented chain of evidence
- Shut down the affected systems to limit the business impact
Which of the following techniques is MOST useful when an incident response team needs to respond to external attacks on multiple corporate network devices?
- Penetration testing of network devices
- Vulnerability assessment of network devices
- Endpoint baseline configuration analysis
- Security event correlation analysis
What is the PRIMARY purpose of communicating business impact to an incident response team?
- To provide monetary values for post-incident review
- To provide information for communication of incidents
- To facilitate resource allocation for preventive measures
- To enable effective prioritization of incidents
The head of a department affected by a recent security incident expressed concern about not being aware of the actions taken to resolve the incident. Which of the following is the BEST way to address this issue?
- Ensure better identification of incidents in the incident response plan.
- Discuss the definition of roles in the incident response plan.
- Require management approval of the incident response plan.
- Disseminate the incident response plan throughout the organization.
An organization’s security was compromised by outside attackers. The organization believed that the incident was resolved. After a few days, the IT staff is still noticing unusual network traffic. Which of the following is the BEST course of action to address this situation?
- Initiate the incident response process.
- Identify potential incident impact.
- Implement additional incident response monitoring tools.
- Assess the level of the residual risk.
When responding to an incident, which of the following is required to ensure evidence remains legally admissible in court?
- Law enforcement oversight
- Chain of custody
- A documented incident response plan
- Certified forensics examiners
Which of the following would BEST demonstrate the maturity level of an organization’s security incident response program?
- An increase in the number of reported incidents
- A decrease in the number of reported incidents
- A documented and live-tested incident response process
- Ongoing review and evaluation of the incident response team
Which of the following provides the BEST opportunity to evaluate the capabilities of incident response team members?
- Disaster recovery exercise
- Black box penetration test
- Breach simulation exercise
- Tabletop test
The PRIMARY reason for implementing scenario-based training for incident response is to:
- help incident response team members understand their assigned roles.
- verify threats and vulnerabilities faced by the incident response team.
- ensure staff knows where to report in the event evacuation is required.
- assess the timeliness of the incident team response and remediation.
What should be an information security manager’s PRIMARY objective in the event of a security incident?
- Contain the threat and restore operations in a timely manner.
- Ensure that normal operations are not disrupted.
- Identify the source of the breach and how it was perpetrated.
- Identify lapses in operational control effectiveness.
An information security manager is preparing an incident response plan. Which of the following is the MOST important consideration when responding to an incident involving sensitive customer data?
- The assignment of a forensics team
- The ability to recover from the incident in a timely manner
- The ability to obtain incident information in a timely manner
- Following defined post-incident review procedures
Which of the following is the BEST way to prevent recurrence of a security incident?
- Review and update security policy on a regular basis
- Management support and approval of the incident response plan
- An appropriate investigation into the root cause with corrective measures applied
- An expanded and more effective monitoring and detection process for incidents
Which of the following should be the FIRST step of incident response procedures?
- Classify the event depending on severity and type.
- Identify if there is a need for additional technical assistance.
- Perform a risk assessment to determine the business impact.
- Evaluate the cause of the control failure.
What should an information security manager do FIRST when a service provider that stores the organization’s confidential customer data experiences a breach in its data center?
- Engage an audit of the provider’s data center.
- Recommend canceling the outsourcing contract.
- Apply remediation actions to counteract the breach.
- Determine the impact of the breach.
Which of the following is MOST critical for responding effectively to security breaches?
- Root cause analysis
- Evidence gathering
- Management communication
- Counterattack techniques
What should be an information security manager’s FIRST course of action upon learning of a security threat that has occurred in the industry for the first time?
- Update the relevant information security policy.
- Perform a control gap analysis of the organization’s environment.
- Revise the organization’s incident response plan.
- Examine responses of victims that have been exposed to similar threats.
An organization was forced to pay a ransom to regain access to a critical database that had been encrypted in a ransomware attack. What would have BEST prevented the need to make this ransom payment?
- Storing backups on a segregated network
- Training employees on ransomware
- Ensuring all changes are approved
- Verifying the firewall is configured properly
Which of the following is an organization’s BEST approach for media communications when experiencing a disaster?
- Defer public comment until partial recovery has been achieved.
- Report high-level details of the losses and recovery strategy to the media.
- Authorize a qualified representative to convey specially drafted messages.
- Hold a press conference and advise the media to refer to legal authorities.