Incident Management Flashcards

Question

In order to contain an incident, which of the following would be the MOST effective to ensure that the proper tools, technologies and subject matter experts are engaged? A.process B.team C.plan D.strategy

Answer 1

D is the correct answer. Justification Processes will be developed based on the strategy. Once processes are developed, teams are defined by the strategy. Unless a strategy is defined, a plan cannot be developed. A strategy is the most effective, as it defines the overall goal of the incident response.

Answer 2

D is the correct answer. Justification Determining response time is based on the categorization of incidents. The process for reporting depends on the categorization. Management may want only high-severity incidents to be reported. The resources required depend on the categorization of the incident and the established response time. Incidents with higher likelihood and impact warrant more attention.

Answer 3

A is the correct answer. Justification Incident response procedures primarily focus on containing the incident and minimizing damage. Root cause analysis is a component of the overall incident management process rather than the incident response procedure. Implementing solutions is possible only after a cause has been determined. Recording and closing tickets is part of the subsequent documentation process but is not the primary focus of incident response.

Answer 4

B is the correct answer. Justification Knowing about security policies and procedures may be important. However, this knowledge is not a must item for an incident response team to work efficiently. Incident response team members need to work in a disrupted environment; therefore, it is essential that they be clearly aware of roles and responsibility prior to engagement. There could be an instance when a digital forensic analyst is needed. In such a case, assigning a qualified professional may be the best solution, rather than having the response team learn the skills. The reporting structure is a mandatory component for a team to operate. However, in the case of incident response, team size is usually small and the reporting line may be flat. Thus, it may not be a major contributor to efficiency.

Answer 5

D is the correct answer. Justification Containment is one of the steps of the standard incident management process, not the primary objective. Depending on the nature of the incident and its potential impact on the enterprise, containment may or may not be a priority. Root-cause analysis facilitates long-term remediation of vulnerabilities to prevent the recurrence of a given type of incident, but it is not the purpose of incident management. Eradication is one of the steps of the standard incident management process, not the primary objective. The purpose of incident management is to identify and respond to unexpected disruptive events with the objective of controlling impacts within acceptable levels.

Answer 6

A is the correct answer. Justification To effectively detect and mitigate zero-day attacks, coordinated and optimized defense and tested response plans are needed. These should include the best prevention and detection technology, a plan for worst-case scenarios and a comprehensive response plan. The business impact analysis identifies and analyzes business processes, which drives the assignment of recovery objectives and prioritization. It can be used to help develop the incident response plan. A scenario analysis helps to assess risk qualitatively and is part of a risk assessment process. However, the incident response plan would be a more effective tool in dealing with zero-day attacks. A walkthrough tests the design and effectiveness of existing controls. However, existing controls typically do not defend against non-identified zero-day attacks.

Answer 7

A is the correct answer. Justification Incident management identifies and assesses incidents as they happen. Then it implements improvements to prevent future occurrences. Detecting and documenting incidents is only part of the process; future occurrences need to be addressed and prevented. Risk management occurs outside the incident management program. Objectives are set based on business needs, and capabilities are built to meet those objectives.

Answer 8

D is the correct answer. Justification Threat assessment lists only the threats the information asset is exposed to; it does not consider the value of the asset and impact of the threat on the value. Vulnerability assessment lists only the vulnerabilities inherent in the information asset that can attract threats. It does not consider the value of the asset and the impact of perceived threats on the value. Resource dependency assessments provide process needs, but not impact. The criticality and sensitivity of information assets depends on the impact of the likelihood of the threats exploiting vulnerabilities in the asset and takes into consideration the value of the assets and the impairment of the value.

Answer 9

B is the correct answer. Justification A business impact analysis (BIA) is not used to determine total cost of ownership to the enterprise. A BIA is the best tool for determining the priority of restoration for applications. A BIA is not used to determine annual loss expectancy to the enterprise. A BIA is not used to determine residual risk to the enterprise.

Answer 10

A is the correct answer. Justification Conducting a business impact analysis (BIA) focusing on the failure of the transition would provide the most direct and relevant information. The BIA would assess the potential impacts on the business operations, financial performance, and reputation of the company due to the failure of the transition. Reviewing the risk register for risk associated with quantum computing could provide useful information, but it might not directly address the specific scenario of the transition failure. Performing a post-implementation review of the transition process could provide insights into what went wrong during the transition, but it might not fully capture the potential impacts of the transition failure. Initiating a cost-benefit analysis of the transition to quantum-resistant algorithms could provide information about the financial feasibility of the transition, but it might not directly assess the potential impacts of the transition failure.

Answer 11

C is the correct answer. Justification Vulnerability management is an important part of managing any system, not only a web-based service, but mitigation decisions are made on the basis of risk and are not isolated to an annual activity. The decision of whether to carry liability insurance is a business decision made on the basis of quantified risk. A service that is gaining popularity will increase in value to the enterprise as it grows, leading to corresponding growth in the magnitude of potential loss should the service be interrupted. Periodic business impact analyses (BIAs) quantify this magnitude and ensure that adequate recovery capabilities can be put in place. Real-time failover capabilities may be warranted, but the decision to design and deploy such capabilities is a business decision based in large part on an accurate BIA quantifying the magnitude of potential loss should the service be interrupted.

Answer 12

B is the correct answer. Justification A disaster recovery plan does not include impact of system loss. A business impact analysis must be completed prior to disaster recovery planning. A business impact analysis is used to establish the escalation of loss over time, in addition to other elements. Site proximity is a consideration during disaster recovery planning for locating a recovery site. Where the site is located does not indicate the business impact. Full interruption testing is used to validate disaster recovery plans. A business impact analysis must be completed prior to disaster recovery planning.

Answer 13

A is the correct answer. Justification Identifying dependencies between IoT devices and critical business functions is crucial for understanding the operational impact of IoT-related disruptions. Assessing these dependencies helps prioritize mitigation efforts and ensure continuity of essential business operations. Assessing the financial and reputational impact of IoT-related disruptions is important for quantifying potential losses and justifying investments in risk mitigation measures. Understanding both direct and indirect costs provides a comprehensive view of the overall impact on the organization’s financial health. Evaluating regulatory and compliance implications is essential, particularly in industries with stringent regulations governing data privacy and security. IoT-related disruptions may lead to regulatory violations and legal consequences, highlighting the importance of compliance in BIA. Analyzing the resilience and redundancy measures in the IoT infrastructure is crucial for assessing the organization’s ability to withstand and recover from disruptions. Identifying gaps in resilience measures enables proactive mitigation strategies to minimize the impact of IoT-related incidents.

Answer 14

D is the correct answer. Justification The business impact analysis (BIA) process is closely related to business continuity planning (BCP). It serves as a foundational step feeding into the BCP life cycle and should be performed first. BIA identifies critical business functions, dependencies, and impacts of disruptions, which are essential for developing effective BCP strategies and plans. BCP typically follows the BIA process in the BCP life cycle. BIA is conducted first to identify critical business functions, dependencies, and impacts of disruptions, which then inform the development of BCP strategies and plans. Both the BIA and BCP are required on initial and subsequent reviews. The BIA process identifies critical business functions, dependencies, resources, and recovery requirements, which serve as essential inputs for developing BCP strategies and plans. The BIA process identifies critical business functions, dependencies, resources, and recovery requirements, which serve as essential inputs for developing BCP strategies and plans. BCP builds upon the insights gained from the BIA to develop comprehensive plans and procedures for responding to and recovering from disruptive events.

Answer 15

B is the correct answer. Justification Performing a business impact analysis (BIA) will include reassessment of the maximum tolerable outage (MTO); until that time, there is no way to determine whether it is the MTO or the allowable interruption window (AIW) that is incorrect. The first issue is to determine whether the plan is current and then update requirements as necessary. The BIA will most likely be a collaborative effort with the business process owners. The service delivery objective will need to be updated by performing a BIA. The MTO should always be at least equal to the AIW and is generally longer.

Answer 16

D is the correct answer. Justification Identifying security threats is part of a risk assessment, not a business impact analysis (BIA). Notification and activation procedures are not part of a BIA but should be part of a business continuity plan. Listing investigative priorities is not part of a BIA. Key results of a BIA include listing critical business resources, identifying disruption impacts and allowable outage times, and developing recovery priorities.

Answer 17

A is the correct answer. Justification A business impact analysis (BIA) ensures that operations are prioritized correctly for recovery in case of a disaster. An enterprise risk assessment would not support prioritization of system recovery. A business process map would not support prioritization of system recovery. A threat statement would not support prioritization of system recovery.

Answer 18

B is the correct answer. Justification Historical incident response data may provide insights into incidents but may not directly address the classification of sensitivity. In the absence of organizational documentation such as a business impact analysis or an asset criticality assessment report, system and data sensitivity can be determined based on the level of protection required to maintain the availability, integrity, and confidentiality of the system and data. Industry benchmarks and standards can be valuable, but they determine system and data sensitivity specific to an enterprise. Postponing sensitivity classification emphasizes the need to complete the necessary documentation for a comprehensive sensitivity assessment; however, it is not the best course of action as it leaves data vulnerable.

Answer 19

A is the correct answer. Justification Disaster recovery is driven by risk, which is a combination of likelihood and consequences. Once likelihood has been determined, the next step is to determine the magnitude of impact. Risk tolerance is the acceptable deviation from acceptable risk. This is taken into account once risk has been quantified, which is dependent on determining the magnitude of impact. Replacement cost is needed only when replacement is required. Book value does not represent actual asset value and cannot be used to measure magnitude of impact.

Answer 20

A is the correct answer. Justification A business impact analysis (BIA) is an exercise that determines the impact of losing the support of any resource to an enterprise, establishes the escalation of that loss over time, identifies the minimum resources needed to recover, and prioritizes the recovery of processes and the supporting system. The main inputs into a BIA are criticality of a business function or process, associated resources and maximum tolerable downtime. Cost of business outages is associated with business continuity planning but is not related to the BIA. Business continuity testing methodology is associated with business continuity planning but is not related to the BIA. Structure of the crisis management team is associated with business continuity planning but is not related to the BIA.

Answer 21

A is the correct answer. Justification A periodic business impact analysis (BIA) can help compensate for changes in the needs of the business for recovery during a disaster. Assigning new applications a higher degree of importance and scheduling them for recovery first reflects an incorrect assumption regarding the automatic importance of a new program. Developing a help desk ticket process that allows departments to request recovery of software during a disaster is not an appropriate recovery procedure because it allows individual business units to make unilateral decisions without consideration of broader implications. The risk assessment may not include the BIA.

Answer 22

C is the correct answer. Justification The business continuity coordinator will not be able to provide the correct level of detailed knowledge. The information security manager will not have the level of detailed knowledge needed. Business process owners are in the best position to understand the true impact on the business that a system outage would create. IT management would not be able to provide the required level of detailed knowledge.

Answer 23

C is the correct answer. Justification The business continuity coordinator will not be able to provide the correct level of detailed knowledge. The information security manager will not have the level of detailed knowledge needed. Business process owners are in the best position to understand the true impact on the business that a system outage would create. IT management would not be able to provide the required level of detailed knowledge.

Answer 24

D is the correct answer. Justification Limiting the business impact analysis (BIA) process to only IT personnel responsible for infrastructure resources and management may overlook critical business functions and dependencies beyond IT systems and infrastructure. While IT personnel play a crucial role in assessing the impact of technology-related disruptions, involving representatives from various business units ensures a more holistic understanding of the organization’s overall business continuity needs. While senior management and executives provide strategic direction and oversight, relying solely on their input may not capture the detailed operational insights necessary for an effective BIA. Involving representatives from various business units and departments ensures that the BIA process considers a wide range of perspectives and operational details essential for identifying critical functions, dependencies, and recovery priorities. While the risk management team is one of the stakeholders, internal audit teams are not typically involved in the recreation or rewriting of the BIA. Their input from earlier audits would be considered, but they would not be directly involved. Involving representatives from different business units and departments ensures that the BIA process considers the unique perspectives and requirements of each area within the organization. These stakeholders provide valuable insights into their respective functions, processes, dependencies, and critical assets, enabling a comprehensive assessment of the potential impacts of disruptive events on the organization’s operations.

Answer 25

C is the correct answer. Justification Business continuity planning (BCP) is closely related to other risk management activities within an organization. It involves identifying and assessing risk to business operations and developing strategies to mitigate impacts, which are fundamental components of broader risk management processes. BCP does not replace other risk management processes and controls within an organization. Instead, it complements existing risk management efforts by focusing specifically on ensuring continuity of critical business functions during disruptions. BCP identifies potential risk and impacts to critical business functions and processes. By providing these inputs, BCP informs the development of risk management strategies and controls within the organization. This integration ensures that risk management efforts align with the organization’s continuity objectives, enhancing resilience and preparedness. BCP should be conducted in coordination with other risk management activities within the organization to ensure alignment and integration of efforts. By incorporating BCP into the overall risk management framework, organizations can enhance their resilience and effectiveness in managing various risk factors.

Answer 26

C is the correct answer. Justification It is a good practice to have a set of standard operating procedures. However, in the case of a business disruption, processes may not work as expected, so the standard operating procedure on its own is not the best option. Staff rotation is a good practice; however, it is not primarily designed for a business continuity program. In the event of a business disruption, the centralized chain of command may become disabled. To prepare for this situation, it may be effective to delegate authority to local management to ensure the continuity of operations. It makes sense for an enterprise to establish a partnership with the local community. However, it is usually carried out from a social responsibility perspective rather than the interest of an enterprise (i.e., business continuity in each region).

Answer 27

C is the correct answer. Justification A hot site is incorrect because it is a site kept fully equipped with processing capabilities and other services by the vendor. A redundant site is incorrect because it is a site equipped and configured exactly like the primary site. A reciprocal arrangement is an agreement that allows two enterprises to back up each other during a disaster. This approach sounds desirable, but it has the greatest chance of failure due to problems in keeping agreements and plans up to date and providing adequate processing capacity. A cold site is incorrect because it is a building that has a basic environment such as electrical wiring, air conditioning, flooring, etc., and is ready to receive equipment in order to operate.

Answer 28

B is the correct answer. Justification The cost to rebuild information processing facilities would not be the first thing to determine. Prior to creating a detailed business continuity plan, it is important to determine the incremental daily cost of losing different systems. This will allow recovery time objectives to be determined. Location and cost of a recovery facility cannot be addressed until the potential losses are calculated, which will determine the type of recovery site that is needed—and this will affect cost. Individual recovery team requirements will occur after the requirements for business continuity are determined.

Answer 29

A is the correct answer. Justification The main variable affecting the ability to operate in the recovery site is adequate resource availability, such as diesel fuel to operate generators. Although resources would be taken into account during initial calculation of the maximum tolerable outage (MTO), circumstances associated with disaster recovery frequently have unexpected impacts on availability of resources. As a result, the expectations may not be met during real-world events. The operational capabilities of the recovery site would have been predetermined and factored into the MTO. Long haul diversity does not affect MTO. Last mile protection does not affect MTO.

Answer 30

B is the correct answer. Justification The value of resources does not provide information on the risk to those resources. Knowledge of an information resource’s value provides an understanding of the potential impact of the loss of the resource. Information regarding potential impact is not adequate to determine control strength requirements; risk levels must also be understood. The annual loss expectancy can only be calculated after determining the magnitude of the loss and frequency of occurrence.

Answer 31

B is the correct answer. Justification Meeting recovery time objectives regarding data restoration is crucial. However, if the business does not run end-to-end, there will still be issues, and data will not be usable. It is most important to ensure that operations are conducted in the same way at the alternate site as at the production site. The key point to confirm at the alternate site is that end-to-end processes work successfully. If end-to-end processes have not been ensured, it is difficult to conclude that the alternate site is ready to carry the business forward when a disruption occurs. It is important to have proper staffing at the alternate site. However, this would be secondary or part of ensuring that processes run successfully. A service level agreement is a fundamental business process. However, it is a secondary concern to ensuring that business processes work at the alternate site.

Answer 32

C is the correct answer. Justification Ensuring the confidentiality of the memory dumps is not a primary concern during forensic analysis. Encrypted memory dumps cannot be analyzed. If a memory dump made with an alternative tool is desired, it should be made only after the existing primary and backup dumps have been hashed, so that their authenticity can be established if necessary. Generating hashes for the primary and backup memory dumps provides a means of demonstrating that the dump used for analysis is identical to the one stored for reference. It is essential that this step be performed before anything might happen to corrupt the original memory source, so it should be done as soon as possible. Documentation of the process should exist as part of the incident response procedures, but if it does not, the middle of an incident is not the best time to create it.

Answer 33

A is the correct answer. Justification The business impact analysis (BIA) is the critical process for deciding prioritization of restoration of the information system/business processes in case of a security incident. Risk assessment provides information on the likelihood of occurrence of a security incident and assists in the selection of countermeasures, but not in prioritization of restoration. A vulnerability assessment provides information regarding the security weaknesses of the system, supporting the risk analysis process. Business process mapping assists in conducting a BIA, but additional information obtained during a BIA is needed to determine restoration prioritization.

Answer 34

A is the correct answer. Justification Periodic testing of the business continuity plan (BCP) would have helped the incident response team monitor the warm site and address the need for patches and updates proactively. Testing would also have identified potential complications and enabled the development of any needed workarounds. The state of warm site computers may not be identified in the implementation phase. Changing the site from a warm site to a hot site would not address the issue of required operating system (OS) updates for computers. Even hot sites require thorough testing of the BCP. The issue here is with the lack of testing the state of the computers’ OSs and is not related to the business impact analysis (BIA). An inaccurate BIA would have wrongly prioritized the order of restoration.

Answer 35

C is the correct answer. Justification Although the current recovery facility cannot satisfy the maximum tolerable outage (MTO), that does not change the MTO. The enterprise should document an inability to meet the MTO and continue developing a new facility that will satisfy the objective. The recovery point objective (RPO) is not affected by the stated deficiencies in the current recovery facility. The service delivery objective (SDO) reflects a commitment to internal customers to meet certain performance standards. To be realistic, the objective must be changed to reflect the operating capabilities of the current recovery facility. The MTO must be at least as great as the allowable interruption window (AIW). Therefore, it is possible that exceeding the MTO will result in not being able to meet the AIW, which will result in unacceptable damage to the enterprise. However, as with the MTO, the inability to meet the AIW does not make the associated damage acceptable, so changing the AIW would not be appropriate.

Answer 36

A is the correct answer. Justification The recovery point objective (RPO) is determined based on the acceptable data loss in the case of disruption of operations. RPOs effectively quantify the permissible amount of data loss in the case of interruption. RPO cannot be used to determine allowable down time. RPO does not set the baseline for operational resiliency. RPO will determine the required frequency and type of backup. The shorter the RPO, the more frequent the backups.

Answer 37

A is the correct answer. Justification If all the plans exist only in electronic form, this presents a serious weakness, as the electronic version may be dependent on restoration of the intranet or other systems that are no longer available. Versioning control is actually easier with an automated system. Broken hyperlinks are a concern, but less serious than plan accessibility. Tracking changes in personnel and plan assets is actually easier with an automated system.

Answer 38

B is the correct answer. Justification Copies of contracts and service level agreements would not be as immediately critical as the business continuity plan (BCP) itself. Without a copy of the BCP, recovery efforts would be severely hampered or might not be effective. The BCP would contain a list of the emergency numbers of service providers. Key software escrow agreements would not be as immediately critical as the BCP itself. A list of emergency numbers would be a part of the BCP.

Answer 39

D is the correct answer. Justification While cost-cutting measures may be necessary in response to revenue losses, they do not address the impending disruption in operations. Identifying alternate suppliers and other proactive measures are more effective in mitigating the impact of supply chain disruptions. Making adjustments internally by prioritizing usage and utilizing the remaining inventory more efficiently may help a little but will not guarantee continuity of operations. Relying solely on the affected supplier to resume operations without exploring alternative options may lead to prolonged disruptions and negative consequences for the retail company. While marketing strategies may help mitigate the impact of revenue losses in the short term, they do not address the underlying issue of supply chain disruptions. Implementing new marketing strategies may be beneficial in managing customer expectations during shortages, but it should complement proactive measures such as identifying alternate suppliers to ensure continuity of inventory supply. Diversifying the supplier base by identifying alternative suppliers and establishing relationships with them enables companies to mitigate the impact of supply chain disruptions and ensure continuity of inventory supply while minimizing potential stock shortages and revenue losses.

Answer 40

D is the correct answer. Justification Senior management should select the most appropriate strategy from the alternatives provided. All recovery strategies have associated costs, including costs of preparing for disruptions and putting them to use in the event of a disruption. The latter can be insured against, but not the former. The best recovery option need not be the least expensive. The selection of strategy depends on criticality of the business process and applications supporting the processes. It need not cover all applications. A recovery strategy identifies the best way to recover a system in case of disaster and provides guidance based on detailed recovery procedures that can be developed. Different strategies should be developed and all alternatives presented to senior management. Senior management should select the most appropriate strategy from the alternatives provided. The selected strategy should be used for further development of the detailed business continuity plan.

Answer 41

B is the correct answer. Justification Regulatory requirements may not be consistent with business requirements. The criticality to business should always drive the decision. The financial value of an asset may not correspond to its business value and is irrelevant. While a consideration, IT resource availability is not a primary factor.

Answer 42

D is the correct answer. Justification While collaboration with trusted partners can help in strengthening the disaster recovery strategy, it will not help in identifying gaps. An audit is performed on a sampling basis and may not highlight the gaps in business continuity requirements and disaster recovery capabilities. Approval from senior management does not ensure alignment of both documents unless gaps are identified through drills and then filled. To effectively align business continuity requirements with disaster recovery capabilities, regular drills are needed to help identify gaps so issues can be fixed, ensuring that recovery time objective (RTO) and recovery point objective (RPO) are achieved.

Answer 43

C is the correct answer. Justification The cost of rebuilding the primary processing facility is not a factor in choosing an alternate recovery site. The daily cost of losing systems is the same whether the alternate site is built or rented. The decision whether to build an alternate facility or rent hot site facilities from a third party should be based entirely on business decisions of cost and ensuring the location is not susceptible to the same environmental risk as the primary facility. Annual loss expectancy is not a factor in choosing to build or rent an alternate site.

Answer 44

B is the correct answer. Justification Real-time local backup to network-attached storage (NAS) provides real-time backup data in the same location. Both real data and backup data could possibly be affected by the same disaster. Remote online storage area network (SAN) backup is a real-time backup of primary site data to high speed and bandwidth remote SAN storage. Although more expensive, this offers higher availability of data in case of primary site disasters. Online data backup direct-attached storage (DAS) takes place in the same location. Because DAS is a data storage and availability solution in which the storage device (e.g., disk drive) is directly attached to a server or client, both real data and backup data could possibly be affected by the same disaster. The primary disadvantage of asynchronous replication to a remote site is the time lag between data being stored at the primary and remote sites. If there is an incident or outage, transactions and data that are not replicated at the time of the incident will be lost, and data in secondary storage may not be current.

Answer 45

D is the correct answer. Justification The recovery time objective (RTO) is the amount of time allowed for the recovery of a business function or resource after a disaster. The RTO is not a factor in determining the recovery point objective (RPO). The determination of the RPO would have already taken cost into consideration. The service delivery level is directly related to the business needs. It is the level of services to be reached during the alternate process mode until the normal situation is restored. The RPO is determined based on the acceptable data loss in case of a disruption of operations. It indicates the earliest point in time that is acceptable to recover the data. The RPO effectively quantifies the permissible amount of data loss in case of interruption.

Answer 46

A is the correct answer. Justification Errors and omissions (E&O) insurance and cybersecurity insurance offer similar types of liability coverage, although they each address different types of risk. E&O insurance provides legal liability protection in the event that an enterprise commits an act of error or omission that results in financial loss to a client, such as falling victim to social engineering attack. If the enterprise stores customer data, such as credit card numbers or email addresses, cybersecurity insurance will be sufficient. If client or other organizational data storage is compromised, this policy will pay for customer notification costs, a public relations campaign, and other recovery expenses. If the cyberattacks result in disruptions in business process activities and operations, then insurance coverage against business interruptions would be the best choice. An enterprise typically cannot insure against failure to comply with legal and regulatory requirements or any other breach of the law.

Answer 47

A is the correct answer. Justification A business impact analysis (BIA) provides results, such as impact from a security incident and required response times. The BIA is the most critical process for deciding which part of the information system/business process should be given prioritization in case of a security incident. Risk assessment is a very important process for the creation of a business continuity plan. Risk assessment provides information on the likelihood of occurrence of security incidents and assists in the selection of countermeasures but not in their prioritization. A vulnerability assessment provides information regarding the security weaknesses of the system, supporting the risk analysis process. Business process mapping facilitates the creation of the plan by providing mapping guidance on actions after the decision on critical business processes has been made—translating business prioritization to IT prioritization. Business process mapping helps not in making a decision but in implementing a decision.

Answer 48

D is the correct answer. Justification While regular testing and exercises of the business continuity plan (BCP) may contribute to ensuring compliance with industry regulations and standards indirectly by enhancing preparedness and resilience, the primary purpose of these activities is to assess and improve the effectiveness of the BCP itself rather than solely focus on compliance. While a well-prepared and effective BCP can contribute to maintaining productivity and speed up the company’s response to a crisis, the primary purpose of regular testing and exercises is to assess and uncover areas needing improvement, such as incomplete procedures, and take corrective actions to increase the plan’s maturity. While having a robust BCP can contribute to the organization’s sustainability by mitigating the impact of disruptions, the primary purpose of regular testing and exercises is to assess and improve the BCP’s effectiveness rather than directly demonstrate a commitment to sustainability. Regular testing of the BCP helps organizations identify weaknesses and gaps in the plan and procedures. By simulating various scenarios, organizations can assess the effectiveness of their BCP in real-world conditions and uncover areas for improvement, such as incomplete procedures or overlooked dependencies.

Answer 49

A is the correct answer. Justification Because the original recovery time objective (RTO) cannot be met due to the time required to restore data, the RTO could be increased. Decreasing the service delivery objective (SDO) would increase the problem and is not a solution. Adjusting the maximum tolerable outage (MTO) would not have any effect on the situation. Increasing the allowable interruption window (AIW) is based on the maximum time the enterprise can be down before major financial impacts occur.

Answer 50

B is the correct answer. Justification During contingency situations, contact with one or more senior managers may be lost. In such cases, a documented succession plan is important as a means of establishing who is empowered to make decisions on behalf of the enterprise. However, if an enterprise experiencing a contingency situation has only a succession plan and no distributed key process documentation, the effectiveness of the empowered decision maker will be limited. A succession plan is, therefore, worthwhile but less important than process documentation. Many factors come into play during contingency situations, but continuity is possible only when personnel who are able to resume key processes have the knowledge to do so. When key process documentation is distributed to contingency locations, it is available for the use of any staff who report to these locations during contingencies, and so long as that documentation is up to date, it may be used even by those who may not typically be involved in performing those functions. Reciprocal agreements are established when contingency sites are shared among multiple business partners. There are business justifications for establishing these relationships, but having them established is generally not going to ensure continuity of operations. Strong leadership by senior management drives the preparation that goes into continuity of operations planning before a contingency situation arises. Assuming that this preparation has been adequate, however, the continuity functions should be carried out by enterprise personnel even if leadership during the contingency is interrupted or lacking in strength.

Answer 51

D is the correct answer. Justification Technical recovery plans are associated with infrastructure disaster recovery. Network redundancy is associated with infrastructure disaster recovery. Equipment needs are associated with infrastructure disaster recovery. Of the choices, only recovery time objectives directly relate to business continuity.

Answer 52

D is the correct answer. Justification A recovery point objective identifies the maximum acceptable data loss associated with successful recovery. It does not prioritize the order of incident response. Risk assessment (both qualitative and quantitative) examines sources of threat, associated vulnerability and probability of occurrence. At the point that an incident occurs, the probability aspect of risk is no longer unknown, so the degree of impact drives the prioritization of incident response, captured in the specialized business impact analysis. Business continuity plans define procedures to follow when business functions are impacted. They do not prioritize the order of incident response. Business impact analysis is a systematic activity designed to assess the effect upon an enterprise associated with impairment or loss of a function. At the point that an incident occurs, its probability is no longer unknown, so it is the potential impact on the enterprise that determines prioritization of response activities.

Answer 53

C is the correct answer. Justification Although ensuring that only materials taken from offsite storage are used in the test is important, it is not as critical in determining a test’s success. While full recovery of the processing infrastructure is a key recovery milestone, it does not ensure the success of a test. To ensure that a disaster recovery test is successful, it is most important to determine whether all critical business functions were successfully recovered and duplicated. Achieving recovery time objectives is an important milestone, but it does not necessarily prove that the critical business functions can be conducted, due to interdependencies with other applications and key elements such as data, staff, manual processes, materials and accessories, etc.

Answer 54

D is the correct answer. Justification Keeping agreements at the hot site is not necessary as they likely would not be referenced in a disaster scenario. Since the disaster recovery site is a hot site, it already contains the equipment, network, and systems software. Service delivery objectives are the service level agreements applicable during disasters. It is useful for them to be kept in the disaster recovery site, but they are not more important than copies of disaster recovery plans (DRPs). In addition to the backup of data and programs, having access to copies of the DRPs, which include recovery steps and a list of contact information, is very important for a hot site so that services within the recovery time objective can be recovered quickly after the primary site goes down.

Answer 55

A is the correct answer. Justification In a major disaster, staff can be injured or can be prevented from traveling to the hot site, so technical skills and business knowledge can be lost. It is, therefore, critical to maintain an updated copy of the detailed recovery plan at an offsite location. In a disaster situation, without the detailed technical plan, business recovery will be seriously impaired. Continuity of the business requires adequate network redundancy. Ideally, the business continuity program addresses this satisfactorily. Continuity of the business requires hot site infrastructure that is certified as compatible, along with clear criteria. Ideally, the business continuity program addresses these needs satisfactorily. Continuity of the business requires clear criteria for declaring a disaster. Ideally, the business continuity program addresses this satisfactorily.

Answer 56

C is the correct answer. Justification Critical data are secondary to safety of personnel. Critical infrastructure is secondary to safety of personnel. The safety of an enterprise’s employees should be the most important consideration given human safety laws. Human safety is considered first in any process or management practice. Vital records are secondary to safety of personnel.

Answer 57

A is the correct answer. Justification Location is critical since the recovery site must not be subject to the same disaster as the primary site; cost is the second main consideration. The cost of losing critical systems is not affected by a buy-or-build choice. Infrastructure complexity and system sensitivity are the same whether in a third-party facility or not. Criticality is the same regardless of the alternate site choice.

Answer 58

D is the correct answer. Justification Storage capacity and shelf life are important but secondary issues. Legal and regulatory requirements do not generally apply to long-term retention of electronically stored business records. Business strategy and direction do not generally apply to long-term retention of electronically stored business records. Long-term retention of business records may be severely impacted by changes in application systems and media. For example, data stored in nonstandard formats that can only be read and interpreted by previously decommissioned applications may be difficult, if not impossible, to recover.

Answer 59

C is the correct answer. Justification The service delivery objective is the required level of functionality that must be supported during the alternate process mode until the normal situation is restored, which is directly related to business needs. The recovery time objective (RTO) is commonly agreed to be the time frame between a disaster and the return to normal or acceptable operations defined by the service level objective. The RTO must be shorter than the allowable interruption window (AIW). The length of the AIW is defined by business management and determines the acceptable time frame between a disaster and the restoration of critical services and applications. AIW is generally based on the downtime before the enterprise suffers major financial damage. The technical implementation of the disaster recovery site will be based on this constraint, especially the choice between a mirrored, hot, warm or cold site. Maximum tolerable outage is the amount of time the enterprise can operate in alternate mode based on various factors such as accessibility and performance levels.

Answer 60

A is the correct answer. Justification While both plans are essential, the disaster recovery plan (DRP) focuses on restoring IT systems and data. This is not necessarily covered when testing the business continuity plan (BCP). Preparation for incident response is a common objective of both the BCP and DRP. Overall business resilience is enhanced by both plans. Ensuring continuous delivery of essential services and products is more aligned with the focus of the BCP, not the DRP.

Answer 61

D is the correct answer. Justification Testing on weekends can be advantageous, but this is not the most important choice. Because vendor-provided hot sites are in a state of constant change, it is not always possible to have network addresses defined in advance. Although it would be ideal to provide for identical equipment at the hot site, it is not always practical because multiple customers must be served and equipment specifications will vary. Disaster recovery testing requires the allocation of sufficient resources to be successful. Without the support of management, these resources will not be available, and testing will suffer as a result.

Answer 62

B is the correct answer. Justification Establishment of distributed operation centers does not compensate for a lack of detail in the recovery plan. When recovery is underway in response to an incident, there are many cases in which decisions need to be made at each management level. This may take up considerable time due to escalation procedures. Therefore, it is desirable that delegation of authority becomes effective during the recovery process. Scope of delegation of authority in recovery execution may be assessed and documented in business continuity policies and procedures. Outsourcing will not resolve any failure to meet recovery time objectives, unless the recovery strategy includes a clear line of authority and adequate detail in the plan. Incremental backup of voluminous databases may be recommended to expedite the data backup process. However, it generally increases the time needed to recover.

Answer 63

B is the correct answer. Justification The volume of data will be used to determine the capacity of the backup solution. The recovery point objective defines the maximum loss of data acceptable by the business (i.e., age of data to be restored). It will directly determine the basic elements of the backup strategy— frequency of the backups and what kind of backup is the most appropriate (disk-to-disk, on tape, mirroring). The recovery time objective—the time between disaster and return to normal operation—will not have any impact on the backup strategy. The availability to restore backups in a time frame consistent with the interruption window will have to be checked and will influence the strategy (e.g., full backup versus incremental), but it will not be the primary factor.

Answer 64

A is the correct answer. Justification The most common failure of disaster recovery plans is lack of current essential operational information. Tabletop walkthroughs are useful only if the information about systems and versions is up-to-date. Recovery exercises are critical for testing plans and procedures. However, using expert personnel makes the recovery tests less useful because experts already have the knowledge to recover systems without using plans and written procedures, and there is no assurance that in a real disaster they would be available. Audits can be helpful, but they are typically infrequent and use sampling; therefore, they provide limited and only occasional assurance that information in recovery plans is up-to-date.

Answer 65

B is the correct answer. Justification Although line capacity is important from a mirroring perspective, it is secondary to having the necessary capacity to restore critical systems. If data centers are operating at or near capacity, it may prove difficult to recover critical operations at an alternate data center. Differences in logical security constitute a much easier issue to overcome and are, therefore, of less concern. Synchronization of system software releases is a much easier issue to overcome and is, therefore, of less concern.

Answer 66

B is the correct answer. Justification Designing secure network architectures is more aligned with preventive measures than post-incident recovery processes. The information security manager must understand the basic processes required to recover operations from information system incidents resulting in security breaches and system failures, natural disasters, and other events that could potentially disrupt business operations. Conducting regular training sessions on disaster response for all employees is valuable, but it does not specifically address the information security manager’s role in developing and implementing recovery processes. Ensuring resources are available is the responsibility of the chief information officer (CIO), not the information security manager.

Answer 67

A is the correct answer. Justification The business impact analysis will help determine the recovery time objective and recovery point objective for the enterprise. This information will drive the decision on the requirements for an alternate site. Natural disasters are just one of many factors that an enterprise must consider when it decides whether to pursue an alternate site for disaster recovery. While a benchmark could provide useful information, the decision should be based on a BIA, which considers factors specific to the enterprise. Regulatory requirements are just one of many factors that an enterprise must consider when it decides whether to pursue an alternate site for disaster recovery.

Answer 68

A is the correct answer. Justification For security and privacy reasons, all organizational data and software should be erased prior to departure. Evaluations can occur back at the office after everyone is rested. An assessment of the hot site provider should be included in the postmortem. Results of the test are a part of the postmortem.

Answer 69

B is the correct answer. Justification The availability of high-speed Internet is essential but may not be the primary factor in recovery site selection. One key consideration when selecting a recovery site is geographical separation and diversity. This involves choosing a site that is located a significant distance away from the primary site to mitigate the risk of both sites being affected by the same regional disasters or events. Cost-effectiveness is important but should be balanced with other critical factors. Even the most cost-effective site could be ineffective if located in the same geographical area as the primary site. Accessibility to public transportation is not a primary concern for a recovery site selected for disaster recovery purposes.

Answer 70

D is the correct answer. Justification The maximum tolerable outage, the amount of time the enterprise can operate in alternate mode, would normally exceed the acceptable interruption window (AIW). While a difference in operating system versions might cause a delay, it would probably be minor. Service delivery objectives (SDOs) are directly related to the business needs. The SDO is the level of services to be reached during the alternate process mode until the normal situation is restored. Not meeting SDOs on some systems might be a concern but would not necessarily lead to the conclusion that the test was a failure. Exceeding the AIW would cause the enterprise significant damage and must be avoided. The acceptable interruption window is the maximum period of time that a system can be unavailable before compromising the achievement of the enterprise’s business objectives.

Answer 71

C is the correct answer. Justification The probability and types of major business impacting outages likely to occur is one factor, but it is not sufficient without consideration of business priorities, recovery time dimension needs, and cost. Probabilities and the types of major outages occurring are covered in risk assessment. Although disaster recovery (DR) activities are related to technology and information recovery and IT plays an important role during a disaster, these factors can only influence the feasibility of a DR as a Service (DRaaS) alternative. Without considering other factors, this option would be limited in scope and not sufficient to justify any alternative selection. Any risk of lack of capabilities during recovery would be covered in risk assessment and those capabilities would be needed independent of recovery strategies. DR site types have unique advantages and disadvantages. Recovery time parameters, budget and cost, business priorities, and location are the most influential factors in selecting the most appropriate DR off-site facility. Business priorities and recovery time dimension needs are covered in the business impact analysis, while the probability of major outages occurring, and the nature and extent of impacts, are covered in risk assessment. Existing hardware, software, and network redundancies are good to know, but it would be necessary to know the recovery time objective (RTO), recovery point objective (RPO), probabilities of major outages, and cost to design the right off-site recovery strategies.

Answer 72

D is the correct answer. Justification Access to a hot site is not indefinite; the recovery plan should address a long-term outage. Sharing a hot site facility is common practice and sometimes necessary in the case of a major disaster, and it is not a significant weakness. First come, first served is a standard practice in hosted facilities and does not constitute a major weakness. In case of a disaster affecting a localized geographical area, the vendor’s facility and capabilities could be insufficient for all its clients, which will be competing for the same resource. Preference will likely be given to the larger corporations, possibly delaying the recovery of a branch that will likely be smaller than other clients based locally.

Answer 73

D is the correct answer. Justification Past incidents can be a useful guide to the types and severity of incidents but will not necessarily provide any information on a current incident. Integrating incident management with business continuity facilitates response to high-severity incidents, but severity level must be determined prior to invoking the business continuity plan. Maintaining an inventory of assets and resources may be helpful when determining the severity of incidents but is not a requirement. The incident response team is likely not as well-informed regarding each operational area impacted by a security incident as the managers from those areas, so it makes sense to consult with the managers to get their estimates.

Answer 74

A is the correct answer. Justification Following the enactment of a new regulation, the critical focus should be on reassessing and recalibrating the specific triggers for reporting—considering risk level, event scale, types of information, and systems involved—under the lens of all applicable regulations. Although determining the statistics on the increase of incidents could provide some understanding of the issue’s scale, it is more important to understand the incident that requires reporting. Reevaluating risk tolerance is an important aspect of an ongoing security strategy but not the primary concern when adjusting incident classification protocols after a regulatory shift. While bolstering the security team could be needed to handle a rise in reported incidents, it is vital to outline the incidents that necessitate reporting first.

Answer 75

B is the correct answer. Justification While using predefined incident categories based on industry standards may streamline incident handling processes, it may not capture the specific nuances of security incidents within the organization’s business analytics environment. Customization is crucial to accurately categorize incidents based on unique data types and analytics tools. Tailoring the framework ensures that incident classification aligns with the unique characteristics of the organization’s analytics operations, enhancing the effectiveness of incident response efforts. Assigning the responsibility solely to the incident response team without considering the broader context of business analytics operations may result in inadequate incident classification. Effective incident classification requires collaboration with stakeholders familiar with the organization’s analytics environment to accurately assess the impact of security incidents. While outsourcing incident classification tasks to a managed service provider may provide expertise, it may not capture the organization’s specific business analytics context. It also may not be cost-effective. Internal stakeholders are better positioned to understand the nuances of the analytics environment and ensure accurate incident classification tailored to organizational needs.

Answer 76

A is the correct answer. Justification Accurate incident classification reflects an incident’s priority level and is usually determined by assessing its impact and urgency. Urgency is a measure of how quickly the incident needs to be resolved to avoid significant effects on business operations. Impact is a measure of the extent of the incident and of the potential damage caused by the incident before it can be resolved. The size and capabilities of an incident response team are related to the desired resolution time of the incident. Without considering the impact dimensions, these criteria would not be effective in assigning classification levels to incidents. Sensitivity and criticality of affected assets is related to the impact of an incident. Without considering the urgency of resolution, these criteria would not be effective in assigning classification levels to incidents. Type and likely duration of an incident is related to the urgency of the incident. Without considering the impact dimensions, these criteria would not be effective in assigning classification levels to incidents.

Answer 77

B is the correct answer. Justification Assisting in proactively managing news media, social media, regulators, vendors and other third parties is part of the containment, eradication and recovery phase. During the detection and analysis phase, the financial, legal, regulatory, operational and reputational impacts are determined. From this analysis, the incident can be assigned a category. Identifying accountable parties for the incident root cause and assigning ownership of remedies is part of the post-incident activity phase. Notifying concerned stakeholders is part of the response activities in the incident response plan.

Answer 78

C is the correct answer. Justification While unauthorized access is indeed a component of the incident, simply categorizing it as unauthorized access might not fully capture the severity of the situation, as it doesn’t explicitly convey the compromise of sensitive customer data, which is a critical aspect of this scenario. While privilege escalation may be one of the ways to gain access to unauthorized data, it is not the only way and does not fully address the incident. Data breach is a better classification of the incident, as it is defined as access, disclosure, or use of sensitive data by unauthorized entities. This classification is most appropriate because the incident involves unauthorized access to a database containing sensitive customer data. A data breach occurs when sensitive or confidential information is accessed, disclosed, or used by unauthorized individuals or entities. While the intrusion and unauthorized access could indeed be classified as a security incident, this term is quite broad and may not adequately convey the specific nature of the breach, which involves the compromise of sensitive customer data. Therefore, categorizing it as a data breach provides a more precise description of the incident.

Answer 79

B is the correct answer. Justification While the extent of data compromised and its potential impact on customers are important considerations, they are part of the overall risk assessment and do not alone determine the need for external reporting. The severity of the incident and the level of risk associated would include all possible scenarios and considerations to determine whether the incidents necessitated external reporting. The potential impact on the company’s reputation and customer trust is a significant concern, but it is part of the overall risk assessment and does not alone determine the need for external reporting. The potential regulatory implications and fines due to the incident are important considerations, but they are part of the overall risk assessment and do not alone determine the need for external reporting.

Answer 80

A is the correct answer. Justification Classifying incidents based on impact to the organization is essential to optimize the limited resources available when multiple incidents are detected/reported. Documenting the number of incidents in each category is required for reporting but is not the most important reason. Determining the escalation hierarchy may be required for high-risk incidents that cannot be closed in time, resulting in higher impact. Escalation may not be required for all incidents. Monitoring the performance of the response team is not the most important reason for classification.

Answer 81

C is the correct answer. Justification Based on the alert condition, the incident response team meets to evaluate the damages and decide whether to declare a disaster or launch the response and recovery plan. A lack of commitment may result in inefficiencies, but even with commitment, absence of an alert condition will have a bigger impact on the enterprise. An alert situation prompts the notification to individuals within the enterprise who have authoritative decision-making responsibilities when an incident is suspected. If the process and requirements for the alert condition do not exist or are not effective, it could result in delays and unnecessary spread of the incident throughout the enterprise. Training is important, but training on a flawed incident response plan would not be effective.

Answer 82

B is the correct answer. Justification Monitoring service level agreements (SLAs) for the service desk is not the main responsibility of a security manager. User issues could be related to potential security incidents. Therefore, reviewing help desk tickets could enable early detection of events or incidents and aid in reducing the impact associated with such events or incidents. Updating awareness content is one of the reasons a manager may review tickets, but it is not as important early detection of security incidents. Reviewing and updating the knowledge repository for service desk employees is not the responsibility of the information security manager.

Answer 83

A is the correct answer. Justification The information security manager should work with management to define and implement an escalation process to establish the events to be managed using incident management policies and procedures. A detailed description of the escalation process and hierarchy of authorities for various recovery actions or disasters must be clear and documented. The primary emphasis should be on the clarity and documentation of the escalation process, not on categorizing routine events. Detailed descriptions are considered important for effective emergency and incident management. Avoiding detailed descriptions to expedite recovery actions is not the recommended approach, as there is a need for a detailed description of the escalation process and authorized recovery actions.

Answer 84

B is the correct answer. Justification The complexity of the technology environment does not mean an incident’s impact is going to be high or that important assets would be affected, requiring a quick response. The duration of an incident is important, but it cannot be determined before escalation. Incident classification and categorization levels define the likely impact levels and urgency of the response. To have effective escalation, urgent and high-impact incidents require faster resolution. Affected assets and processes are important, but these factors do not show the incident’s impact level. These may be important to know to effectively notify business stakeholders but not for incident responders. The skills and capabilities of an incident responder must be combined with the type and nature of incidents so that the impact and urgency of incidents can be escalated for resolution effectively and efficiently. Seniority levels are important when an escalated incident cannot be resolved in a timely manner.

Answer 85

A is the correct answer. Justification The primary reason for conducting triage is that incident handling resources are limited, and they must be used for the greatest benefit. With categorization, prioritization and assignment of incidents based on their criticality, resources can be allocated more efficiently. Triage is not generally considered a mandatory process in incident handling. Triage does not mitigate an incident but applies available resources most effectively to address the impact. Triage does not serve to detect incidents.

Answer 86

A is the correct answer. Justification Roles and responsibilities for all involved in incident response should be established when the incident response plan is established. Determining roles and responsibilities during a disaster is not the best time to make such decisions, unless it is absolutely necessary. While testing the plan may drive some changes in roles based on test results, roles (including who declares the disaster) should have been established before testing and plan approval. Roles and responsibilities for all involved in incident response should be established when the incident response plan is established, not after the details have been approved.

Answer 87

C is the correct answer. Justification Legal and regulatory requirements are not optional guidelines. They are mandatory requirements that organizations must adhere to in order to comply with the law. Treating them as optional could lead to noncompliance and legal repercussions. While legal and regulatory requirements may necessitate collaboration between different teams within an organization (including IT and management), their primary purpose is to ensure compliance with laws and regulations, not to serve as a collaboration framework. Legal and regulatory requirements are not merely guidelines or recommendations; they often represent mandates that organizations must follow to comply with relevant laws and regulations. These requirements establish baseline standards for how organizations handle and respond to information security incidents. Legal and regulatory requirements encompass more than just technical aspects of incident response planning. They often include requirements related to data protection, privacy, reporting obligations, and other legal considerations that go beyond purely technical concerns.

Answer 88

B is the correct answer. Justification Significant incidents cannot always be prevented due to the existence of vulnerabilities. Classification and categorization of cybersecurity incidents do not prevent incident recurrence. The main objective of incident classification and categorization is to assign limited incident resources to where they can be most effective rather than on a first-come, first-serve basis. This approach ensures that resources are allocated efficiently, focusing on the most critical threats first. Containment includes all the activities, tasks, and steps taken to limit or reduce the impact of an incident. Incident classification and categorization can help incident containment activities by ensuring a prompt response but do not ensure that these activities are conducted effectively. Although classified and categorized incidents should be treated appropriately by incident response team members, the main objective of classification and categorization of cybersecurity incidents is not to improve the awareness of the incident response teams.

Answer 89

A is the correct answer. Justification The incident involves a malicious insider who intentionally alters critical configuration settings on a production server. An insider threat refers to the risk posed to an organization’s security or data by individuals who have insider access and knowledge, such as employees, contractors, or partners, and who misuse their privileges for malicious purposes. A configuration error typically refers to incidents caused by unintentional misconfigurations or errors in system settings or configurations that lead to security vulnerabilities. However, in this scenario, the alteration of critical configuration settings was intentional and aimed at causing disruption, rather than being unintentional. Privilege escalation occurs when an attacker starts with an account without elevated privileges, exploits vulnerabilities, and gains higher privileges. Here, the insider may already have an admin account and is using it for malicious intentions. Hence, the incident is better classified as an insider threat. Denial of service involves malicious attempts to disrupt or deny access to services or resources. In this scenario, the disruption in services caused by the alteration of configuration settings aligns with the outcome of a denial-of-service attack. However, the root cause of the disruption is the intentional actions of a malicious insider, which distinguishes it from a typical denial of service attack initiated by external actors.

Answer 90

B is the correct answer. Justification With checklist tests, copies of the business continuity plan are distributed to various persons for review. In these tests, people do not exercise a plan. Business continuity coordinators come together to practice executing a plan based on a specific scenario. This does not interrupt normal operations and provides the most assurance of the given nonintrusive methods. In walk-through tests, representatives come together to go over the plan (one or more scenarios) and ensure the plan’s accuracy. The plan itself is not executed. Full operational tests are the most intrusive to regular operations and business productivity. The original site is actually shut down and processing is performed at another site, thus providing the most assurance, but interrupting normal business productivity.

Answer 91

A is the correct answer. Justification The goal of incident response is to resolve incidents within agreed-on time limits. The number of change requests related to infrastructure changes simply indicates that there have been required changes to the internal architecture. Those change requests may or may not have anything to do with found vulnerabilities or reported incidents. The end of the month is an arbitrary time, unrelated to agreed-on time limits for incident resolution. The source of incidents does not provide input concerning the effectiveness of incident management.

Answer 92

A is the correct answer. Justification A tested business continuity plan/disaster recovery plan is the best indicator that operational risk is managed effectively in the enterprise. Reporting incidents by employees is an indicator but not the best choice, because it is dependent upon the knowledge of the employees. Extent of risk management education is not correct, because it may not necessarily indicate that risk is effectively managed in the enterprise. A high level of risk management education would help but would not necessarily mean that risk is managed effectively. Regular review of risk by senior management is not correct because it may not necessarily indicate that risk is effectively managed in the enterprise. Top management involvement would greatly help but would not necessarily mean that risk is managed effectively.

Answer 93

D is the correct answer. Justification While technical controls are important for preventing insider threats, relying solely on preventing them may not be sufficient. Insider threats can involve deliberate actions by individuals with legitimate access, making it essential to complement technical controls with employee awareness and reporting mechanisms. While communication with law enforcement agencies may be necessary for certain insider threat incidents, delaying communication until all facts are verified could hinder timely response efforts. Prompt reporting of insider threats to law enforcement can aid in investigation and resolution, helping to mitigate the impact of the incident. While accountability is important, assigning blame and punishment should not be the primary focus when improving incident response for insider threats. Instead, the focus should be on understanding the root causes of the incident, enhancing detection and prevention measures, and fostering a culture of security awareness and collaboration within the organization. By raising awareness and empowering employees to recognize and report insider threats, the organization can enhance its ability to detect and respond to such incidents effectively.

Answer 94

C is the correct answer. Justification The total number of open incidents is not an indicator of incident response effectiveness because the team does not have direct control over the number of incidents it must handle at any given time. Reduction of the number of security incidents generally cannot be attributed to the effectiveness of the response team but rather to improved controls. Reduction of response time helps minimize the impact of the incident and is the best indicator of the effectiveness of the incident response process. The number of incidents handled per month would not be a direct indicator of team effectiveness.

Answer 95

C is the correct answer. Justification Quarterly updates do not establish that a plan meets the enterprise’s needs. Automated surveys are a method that could be used during testing but, on its own, is not sufficient. Cross-departmental testing of a plan with varied scenarios is most effective in determining the validity of a business continuity plan (BCP). Face-to-face meetings is a method that could be used during testing but, on its own, is not sufficient.

Answer 96

B is the correct answer. Justification The objective is to measure the effectiveness of the response to cybersecurity incidents, not reduce the number of incidents overall. Reducing the mean time to detect, respond and recover is aligned with the objective of cybersecurity incident response. While it is important to increase awareness, this is not the primary objective of incident response. Increasing the accuracy of detecting cybersecurity incidents is the objective of security monitoring, not incident response.

Answer 97

B is the correct answer. Justification It is not the aim of observation to identify people who have not followed the process. After a test, results should be reviewed to ensure that lessons learned are applied. Identifying equipment that is needed may be part of the lessons learned but is not the sole reason for the review. Review is conducted not only to maintain evidence but also to make improvements.

Answer 98

C is the correct answer. Justification A checklist test does not provide more assurance than a full interruption test. Checklist tests are a preliminary step to a real test. Recovery checklists are distributed to all members of a recovery team to review and ensure that the checklist is current. A table-top exercise does not provide more assurance than a full interruption test. Table-top exercises may consist of virtual walk-throughs of the disaster recovery plan (DRP), or they may involve virtual walk-throughs of the DRP based on different scenarios. A full interruption test gives the enterprise the best assurance because it is the closest test to an actual disaster. It generally involves shutting down operations at the primary site and shifting them to the recovery site in accordance with the recovery plan; this is the most rigorous form of testing. A simulation test does not provide more assurance than a full interruption test. During simulation testing, the recovery team role-plays a prepared disaster scenario without activating processing at the recovery site.

Answer 99

C is the correct answer. Justification A structured walkthrough test requires only that representatives from each operational area meet to review the plan procedures physically and then implement the plans on paper and review each step to assess its effectiveness and identify enhancements, constraints, and deficiencies. The quality of the results depends on the team’s capabilities and will not be as effective as parallel testing. Full interruption tests can provide the most effective results for all aspects of incident response and recovery capabilities of a plan. The primary site is brought down, and recovery sites are activated; therefore, it is the most disruptive to business operations. In parallel testing, the incident response and recovery team actually tests the incident response and recovery roles in a test environment or offsite recovery site. Parallel testing is the most realistic simulation and provides teams with the best feedback about their roles without risking business operations. In simulation tests, a recovery team walks through a scripted simulation and discusses assessment and recovery procedures to determine whether a recovery plan is reasonable, but the results will not be as reliable as parallel testing.

Answer 100

C is the correct answer. Justification Auditing business process changes will not necessarily enable maintenance of the disaster recovery plan (DRP). Maintenance of the latest configuration will not show how current the process is, which is vital for disaster recovery planning. When a DRP is properly tested, the results of the tests will reveal shortcomings and opportunities for improvement. The maintenance of the personnel contact list is an indication of the personnel to be involved in the DRP. Although indicative of how current the DRP is, the DRP also should include the suppliers, customers and vendors needed for its success.

Answer 101

D is the correct answer. Justification A walk-through of all necessary recovery tasks is part of both tests. Only a full interruption test includes interruption of primary site operations. Both parallel tests and simulation tests rely on fictitious scenarios. A parallel recovery test includes the test of the operational capabilities of the recovery site, while a simulation test focuses on role-playing.

Answer 102

A is the correct answer. Justification An approved and tested plan will provide assurance of the provider’s ability to address incidents within an acceptable recovery time, and an internal team's ability to provide oversight and liaison functions that ensure the response is executed according to plan. Identifying a liaison is not sufficient by itself to provide assurance of adequate incident response performance. Notification and reporting is not a sufficient assurance of suitable response activities and provides no capability for input, participation or addressing related issues in a timely manner. Audits provide a periodic snapshot of the sufficiency of the provider’s plans and capabilities but are not adequate to manage collateral and consequential issues in the event of a significant incident.

Answer 103

C is the correct answer. Justification While up-to-date contact information is important, it is no more important for an untested plan than for a tested plan. Whether a risk is acceptable or not is a business determination and is not a function of testing. A response plan may prove unworkable upon testing despite appearing to cover all areas as written. Whether a plan has been tested is not quickly apparent from inspection.

Answer 104

A is the correct answer. Justification The most important reason to frequently test an incident response playbook is to identity weaknesses and gaps in the procedures during incident eradication and recovery activities. Cost is not the main reason for testing the playbook. Playbooks are used to eradicate malware after the infection, not to provide real-time protection. The incident response playbook does not reduce the duration of the incident containment process.

Answer 105

A is the correct answer. Justification Security incident response plans should be tested to find any deficiencies and improve existing processes. Testing the intrusion detection system is a good practice but would not have prevented this situation. All personnel need to go through formal training to ensure they understand the process, tools and methodology involved in handling security incidents. However, testing of the actual plans is more effective in ensuring that the process works as intended. Reviewing the response procedures is not enough; the security response plan needs to be tested on a regular basis.

Answer 106

B is the correct answer. Justification The fact that threats can materialize into an incident requires the presence of system vulnerabilities. It is the vulnerabilities that should be the focus of analysis when considering incident management procedures. Periodic testing and updates to incorporate lessons learned will ensure that implementation of the incident management response plan is aligned and kept current with the business priorities set by business management. All members of the incident management response team do not need to have IS skills. Members who take charge of implementing the incident management response plan should be able to use different skills to ensure alignment with the enterprise’s procedures and policies. It is important that someone take ownership of implementing the incident management plan (e.g., to formally declare that such a plan needs to be put into place after an incident). A non-hierarchical structure can introduce ambiguity as to who is responsible for what aspects of the incident management response plan.

Answer 107

C is the correct answer. Justification A red team test is a simulation of a real-life attack on the enterprise. It does not necessarily relate to testing the incident response plan. A penetration test is a simulated test to break into the enterprise’s network infrastructure. It does not necessarily relate to testing the incident response plan. A simulation test will ensure that all personnel know exactly what to do when an incident occurs. Vulnerability scanning detects defects in the enterprise’s infrastructure and applications. It does not necessarily relate to testing the incident response plan.

Answer 108

A is the correct answer. Justification A structured walk-through including both incident response and business continuity personnel provides the best opportunity to identify gaps or misalignments between the plans. Publishing an enterprise-level incident response plan would be effective only if business continuity aligned itself to incident response. Incident response supports business continuity, not the other way around. Sharing perspectives is valuable, but a working group does not necessarily lead to action ensuring that the interface between plans is workable. A project plan developed for disaster recovery will not necessarily address deficiencies in business continuity or incident response.

Answer 109

D is the correct answer. Justification The governance function will determine the strategy and policies that will set the scope and charter for incident management and response capabilities. While response is a component of managing risk, the basis for risk management is determined by governance and strategy requirements. Compliance would not be directly related to this activity, although this function may have representation on the incident response team. The information security manager, or designated manager for incident response, should select the team members to ensure that all required disciplines are represented on the team.

Answer 110

A is the correct answer. Justification If properly deployed, configured and tuned, security information and event management (SIEM) can provide information on policy compliance, incident monitoring and other capabilities. SIEM is not used to manage residual risk. SIEM is an automated review of logs through aggregation and correlation and does not replace the need for firewalls. SIEM provides a series of detective controls, not compensating controls.

Answer 111

B is the correct answer. Justification Intrusion detection systems can detect and notify of a potential attack but provide no information on subsequent breaches, making them less effective at identifying persistent threats than system information and event management (SIEM) systems. SIEM systems can identify incidents or potential incidents, prioritize according to potential impact, track incidents until they are closed, and provide substantial trend analysis over time. Vulnerability scanning tools identify weaknesses in systems and networks that correspond to known paradigms. In general, advanced persistent threats (APTs) involve exploits that are outside the scope of published vulnerabilities, making vulnerability scanning a limited countermeasure against APTs. Integrated network management typically provides a limited subset of the capabilities of fully implemented SIEM.

Answer 112

A is the correct answer. Justification Continuous monitoring helps an enterprise identify adverse events in a timely manner. The reduced lag time to take steps to contain damage results in minimizing the impact. Aligning the security program with IT goals is a derived benefit of continuous monitoring rather than the primary objective. Identifying critical information assets is a prerequisite for implementing continuous monitoring. Reduction of policy exceptions is not a direct benefit of continuous monitoring.

Answer 113

D is the correct answer. Justification Requiring the use of strong passwords will not be sufficiently effective against an internal network-based attack. Assigning Internet Protocol (IP) addresses would not be effective since these can be spoofed. Implementing centralized logging software will not necessarily provide information on the source of the attack. Installing an intrusion detection system (IDS) will allow the information security manager to better pinpoint the source of the attack so that countermeasures may then be taken. An IDS is not limited to detection of attacks originating externally. Proper placement of agents on the internal network can be effectively used to detect an internally based attack.

Answer 114

A is the correct answer. Justification Implementing a security information and event management (SIEM) process helps ensure that incidents are correctly identified and handled appropriately. Because an SIEM process depends on log analysis based on predefined rules, the most effective way to reduce false-positive alerts is to develop use cases for known threats to identified critical systems. The use cases would then inform development of appropriate rules for the SIEM solution. Although security monitoring requires traffic analysis, only properly defined use cases can ensure that the rules are accurately defined and that events are properly identified, thereby reducing false-positive alerts. A risk assessment will not reduce false positive alerts. The quality of the logs can affect alerts but is usually a minor consideration.

Answer 115

D is the correct answer. Justification While evidence must necessarily be retained long enough to be submitted, the length of the retention period does not itself affect the admissibility of evidence. Read-only media reduces the possibility of tampering as a technical capability, but maintenance of a chain of custody serves as an adequate safeguard in any case. Review by an independent authority does not guarantee admissibility. Evidence is inadmissible without a clear chain of custody, which is a tracing of who had control of the evidence throughout the process.

Answer 116

A is the correct answer. Justification Structured query language (SQL) injection is an application-based attack. Because the security operations center has detected an attempt of SQL injection and could not determine if it was successful, the information security manager should approach the application support group that has access to data in order to identify the impact. The business process owner may help the application support group determine the overall impact, after it has been determined if the attack has been successful. Because SQL injection is an application-based attack, the network management team is not the best resource to assess the possible impact. The system administrator is not the best resource to assess the possible impact but may assist the application support team and assist with incident response activities, should the attack have been successful.

Answer 117

B is the correct answer. Justification Notification to law enforcement or senior management may occur in tandem with other activities, but preventing contamination of evidence takes priority. In many enterprises, the decision to notify law enforcement is made by senior management. If criminal charges may be filed, preventing contamination of evidence is the foremost concern to facilitate prosecution. Activation of the incident response team must be delayed until after steps have been taken to prevent contamination of evidence in situations where criminal charges may be filed. Containment is part of an effective incident response strategy, but preventing contamination of evidence takes priority over containment in situation where criminal charges may be filed.

Answer 118

B is the correct answer. Justification The type and severity of the attack should be studied after it is concluded that the incident is valid. An administrator conducting regular maintenance activities may trigger a false-positive alarm from the intrusion detection system. One must validate a real incident before taking any action. Damage should be contained and risk minimized after confirming a valid incident, thus discovering the type and severity of the attack. One of the goals of incident response is to minimize the disruption of computer resources.

Answer 119

B is the correct answer. Justification A backup does not preserve 100 percent of the data, such as erased or deleted files and data in slack space—which may be critical to the investigative process. The original hard drive or suspect media should never be used as the source for analysis. The source or original media should be physically secured and only used as the master to create a bit-for-bit image. The original should be stored using the appropriate chain of custody procedures, depending on location. The image created for forensic analysis should be used for analysis. Once data from the source are altered, they may no longer be admissible in court. Continuing the investigation and documenting the date, time and data altered are actions that may not be admissible in legal proceedings. The enterprise would need to know the details of collecting and preserving forensic evidence relevant to the jurisdiction.

Answer 120

B is the correct answer. Justification Risk assessment results are a document that would not likely be included in a computer incident response team (CIRT) manual. Quickly ranking the severity criteria of an incident is a key element of incident response. The emergency call tree directory is a document that would not likely be included in a CIRT manual. A table of critical backup files is a document that would not likely be included in a CIRT manual.

Answer 121

C is the correct answer. Justification Preventing access by system administrators provides no protection and does nothing to restore the system. Root access makes it possible to initiate changes that are difficult or impossible to locate, so undoing all changes is not an acceptable choice to resolve the issue. If someone, or a malicious program, gains superuser privileges to a system without authorization, the enterprise never knows what the perpetrator or program has done to the system. The only way to assure the integrity of the system is to wipe it clean by either performing a low-level format on the hard disk or replacing it with a new one (usually after making a bit copy backup for the purpose of further analysis and to prevent the destruction of data that may not exist elsewhere) and then starting over again by reinstalling the operating system and applications using original media. Changing passwords provides no protection against any malicious changes made to the system.

Answer 122

D is the correct answer. Justification Recovery time objective (RTO) may only address a part of requirements to ensure end-to-end business operations at the alternate site. Functional delegation is of secondary importance to ensure the process availability at the alternate site. Staff availability is important only to the extent that it impacts process availability at the alternate site. Until end-to-end transaction flow is established, recovery is not complete. Whether the RTO has been met is less important than achieving full recovery.

Answer 123

D is the correct answer. Justification Operation of a robust incident management process should occur prior to an investigation. The identification of areas of responsibility should occur prior to an investigation. Involvement of law enforcement is dependent upon the nature of the investigation. The most important factor in a forensic investigation is the expertise of the resources participating in the project, due to the inherent complexity.

Answer 124

D is the correct answer. Justification The independence of the investigator may be important but is not the most important aspect. Timely intervention is important for containing incidents but not important for forensic investigation. Identifying the perpetrator is important, but maintaining the chain of custody is more important in order to have the perpetrator convicted in court. Establishing the chain of custody is one of the most important steps in conducting forensic investigations because it preserves the evidence in a manner that is admissible in court.

Answer 125

A is the correct answer. Justification Before performing analysis of impact, notification, or isolation of an incident, it must be validated as a real security incident. Before performing analysis of the impact of an incident, it must be validated as a real security incident. Before notification of stakeholders, it must be validated as a real security incident. Before isolation of an incident, it must be validated as a real security incident.

Answer 126

C is the correct answer. Justification Whether hard drives are encrypted is not relevant to collecting and preserving evidence. Audit software is not useful for collecting and preserving evidence. When collecting evidence about a security incident, it is very important to follow appropriate forensic procedures to handle electronic evidence using a method approved by local jurisdictions. Log correlation software may help when collecting data about an incident; however, these data might not be accepted as evidence in a court of law if they are not collected using a method approved by local jurisdictions.

Answer 127

A is the correct answer. Justification Fidelity coverage means insurance coverage against loss from dishonesty or fraud by employees. Business interruption insurance protects against losses from events that prevent the business from operating. Valuable papers and records insurance protects against the costs associated with the destruction of business records due to fire, flood or other incident. Business continuity insurance is similar to business interruption coverage but generally provides broader protection.

Answer 128

D is the correct answer. Justification Presentation skills are useful for preparing management reports but are not the most essential quality. The ability to follow policies and procedures is important, but incidents are unanticipated and chaotic. It is likely there are no specific policies or procedures to deal with them, and for an individual who cannot cope with the stress of an incident, the ability is of little value. Integrity is an essential quality, but an employee who lacks it probably should not be employed by the enterprise. Incident handlers work in high-stress environments when dealing with incidents. Incorrect decisions are likely to be made by individuals unable to cope with stress; thus, the primary quality of incident handlers is to cope with stress.

Answer 129

B is the correct answer. Justification Identifying a recognized forensics software tool to create the image is one of the important steps, but it should come after several of the other options. The first step in any investigation requiring the creation of a forensic image should always be to maintain the chain of custody. Connecting the hard drive to a write blocker is an important step, but it must be done after the chain of custody has been established. Generating a cryptographic hash of the hard drive contents is another important subsequent step.

Answer 130

C is the correct answer. Justification The database server would not assist in the correlation and review of the logs. The domain name server would not assist in the correlation and review of the logs. To accurately reconstruct the course of events, a time reference is needed, and that is provided by the time server. The proxy server would not assist in the correlation and review of the logs.

Answer 131

D is the correct answer. Justification Impact analysis may help to assess the damage to the business. It may somewhat enhance the quality of log analysis; however, it would not support the accomplishment of the timely detection of an incident. Increasing the number of employees is a costly approach that requires additional workload. There is still a risk that significant events could be overlooked, even if the log is reviewed with an increased headcount. Reducing the number of security events to be recorded may not directly contribute to the timely detection of an incident. Reducing the number of events reported in the logs may increase the risk of unidentified events. A monitoring system, such as a security information and event management system (SIEM), would interface with production systems. Therefore, log events would be sent to the agent layer of the security management system, followed by the analysis and escalation steps. This approach would compensate for the disadvantages involved in the periodic review of log events.

Answer 132

D is the correct answer. Justification Preventing disk corruption does not address capture of the data that exist in volatile memory. Conducing a hot-swap of the main disk drive does not address capture of the data that exist in volatile memory. Avoiding loss of data in server logs does not address capture of the data that exist in volatile memory. Disconnecting power from a system results in loss of data stored in volatile memory. Those data could be vital for the investigation and for understanding the extent of the impact of the event. Disconnecting power is not recommended if analysis of running processes or the content of volatile memory is required.

Answer 133

D is the correct answer. Justification A network monitoring system provides analysis of security alerts generated by network devices. A security information and event management system monitors activity data and log from endpoints and systems that could indicate a threat. Endpoint detection and response (EDR) not only includes antiviruses but also contains security tools like firewall, whitelisting tools, monitoring tools, etc., to provide comprehensive protection against digital threats. However, this is not its primary function. An EDR system, in addition to providing analysis and prevention, has forensic capabilities that facilitate post-incident investigation and security research.

Answer 134

C is the correct answer. Justification For a copy, the target hard disk does not require the same specification as the original disk; therefore, this is not the best choice. It is a good practice to make a dual backup; however, it does not prove that data are not modified by anyone. In order to prove that data are not modified before and after the copy is made, it is best to keep a digital hash from both hard disks. The hashes alone are not adequate to meet the standards of evidence admissibility, but they will support other aspects of integrity in the context of data forensics. It is a good practice to perform a restoration test. This is to ensure availability rather than to maintain evidential capability.

Answer 135

C is the correct answer. Justification The fact that most new viruses’ signatures are identified over weekends is secondary to leaving systems vulnerable during the intervening week. The fact that technical personnel are not available is secondary to leaving systems vulnerable during the intervening week. Updating virus signature files on a weekly basis carries the risk that the systems will be vulnerable to viruses released during the week; far more frequent updating is essential. The fact that success or failure is not known until Monday is secondary to leaving systems vulnerable during the intervening week.

Answer 136

B is the correct answer. Justification Unplugging the systems is generally the preferred option in preserving evidence but is just one step. Admissible evidence must be collected and preserved by maintaining the chain of custody. Segregation of duties is not necessary in evidence collection and preservation because the entire process can be executed by a single person. Clock synchronization is not as important for the collection and preservation of admissible evidence

Answer 137

C is the correct answer. Justification Identifying the sources of the attack may be useful to stop the attack but does not aid in determining impact. The overall impact of a distributed denial-of-service attack may be beyond the comprehension of the users, as servers, databases, routers, etc., may be affected. Criticality of affected services will determine the impact on the business. If affected services are not critical, then there is no cause for alarm. Logs may identify the nature of the attack rather than the impact.

Answer 138

A is the correct answer. Justification Slack space is the unused space between where the file data end and the end of the cluster the data occupy. Login information is not typically stored in the slack space. Encryption for the slack space is no different from the rest of the file system. Slack space is not a viable means of storage during an investigation.

Answer 139

A is the correct answer. Justification Without the initial assignment of forensic expertise, the required levels of evidence may not be preserved properly. The IT department is unlikely to have the necessary level of expertise and should, therefore, be prevented from taking action. Disconnecting from the network may be a prudent step prior to collecting evidence but does not eliminate the requirement for properly qualified forensic personnel. Notifying law enforcement will likely occur after the forensic analysis has been completed.

Answer 140

B is the correct answer. Justification Containing and eradicating the incident would occur only after the incident is validated. The first step in incident response is to confirm the incident is valid. This would be done through incident analysis. Evidence gathering, eradication and containment occur after the incident is confirmed. Recovery, evidence gathering, eradication and containment occur after the incident is confirmed.

Answer 141

C is the correct answer. Justification Control objectives cannot be evaluated until the exact nature of the compromise is understood; therefore, it is not clear how to best provide a solution. Increasing the restrictiveness of controls should only take place if it is determined by root cause analysis to be necessary to solve the problem. Assessing the root cause is the first step in understanding whether control objectives and controls are inadequate or if some other cause must be addressed. Repeating the control test does not provide a root cause of the compromise that occurred.

Answer 142

D is the correct answer. Justification When hacking is carefully completed, it can be difficult to find any observable trace evidence of the attack. Hence, reconciliation against external statements or logs may not be effective, as there may be no traces of the attack. Hacking most likely is conducted from the back end. Hence, business approval procedures may not provide vital information from a forensic perspective. Interviews are subjective and, therefore, are weak evidence from a forensic perspective. Attackers make sure to hide evidence of infiltration, such as erasing logs, editing control reports, etc. From a forensic perspective, it is equally important to capture volatile data, such as open ports, active processes, RAM data, etc., for further investigation.

Answer 143

B is the correct answer. Justification Identifying the threat actors may be the outcome of the investigation, but it is not the main objective of forensics. Forensic investigation focuses on collecting uncontaminated evidence that can be presented in its original form. Determining the root cause of a cybersecurity incident is important; however, forensic investigation may come after determining the root cause. Whether to notify law enforcement is senior management's decision, depending on various factors identified during a forensic investigation.

Answer 144

A is the correct answer. Justification The chain of custody documents how evidence is collected, used and handled through the lifetime of a particular case. The chain of custody protects the integrity of the evidence and ensures its usability during legal proceedings. This would be the most significant concern in this scenario. Damage to the hard drives would be a concern, but the most significant concern would be the loss of integrity of the evidence with the disruption of the chain of custody. Erasure of data is a potential outcome if the chain of custody is broken. Alteration of data is a potential outcome if the chain of custody is broken.

Answer 145

C is the correct answer. Justification Containment is the next step in the incident response cycle. Deleting the file could be part of the containment process after it has been determined that it is safe to do so. The first step in incident response is to verify whether the file is malicious. Reporting to management would be a later step in the incident handling cycle and will vary based on policy, but it would not come before verification or general containment.

Answer 146

D is the correct answer. Justification Failure to enable audit logs on a production server, although important, does not pose as immediate or as critical a threat as a Trojan installed on a systems administrator’s laptop. The logon ID for a terminated employee existing on the system poses a risk, but unless it is a disgruntled or malicious employee, it is not likely to be a critical threat. Numerous reports of phishing emails are a risk. But in this situation, employees recognize the threat and are responding appropriately, so it is not a critical threat. The discovery of a Trojan installed on a systems administrator’s laptop is a highly significant threat from an attacker and may mean that privileged user accounts and passwords have been compromised.

Answer 147

D is the correct answer. Justification An asset inventory can be used for tracing the asset, but it is not the primary reason for a chain of custody. The chain of custody is not related to the asset custodian or to updating the asset inventory. Forensic analysis—not the chain of custody—may reveal who compromised the system. The chain of custody must be ensured to ensure that the forensic evidence is admissible in a court of law.

Answer 148

A is the correct answer. Justification Because the password for the shared administrative account was obtained through guessing, it is probable that there were multiple unsuccessful logon attempts before the correct password was deduced. Searching the logs for invalid logon attempts could, therefore, lead to the discovery of this unauthorized activity. Write access violations would not necessarily be observed because the information was merely copied and not altered. Because the account is shared, reviewing the logs for concurrent logons would not reveal unauthorized activity; concurrent usage is common in this situation. Firewall logs would not necessarily contain information regarding logon attempts.

Answer 149

B is the correct answer. Justification It will be a waste of resources if forensic analyses are based on threat intelligence reports. Forensics can be performed for actual and suspected breaches based on digital evidence. They primarily focus on finding digital evidence after a breach has occurred. Every security incident does not call for forensics. Initiating forensics would be more useful once a breach has occurred than after it is reported. Forensics will not be useful without logs. If files are not available as desired, the evidence will be insufficient.

Answer 150

D is the correct answer. Justification A gap analysis is useful in assessing the differences between the current state and a future state. Regression analysis is used to retest earlier program abends or logical errors that occurred during the initial testing phase. Risk analysis is a process by which frequency and magnitude of IT risk scenarios are estimated. Recovery time objectives (RTOs) are a primary deliverable of a business impact analysis. RTOs define the amount of time allowed for the recovery of a business function or resource after a disaster occurs.

Answer 151

A is the correct answer. Justification The bit-level copy image file ensures forensic quality evidence that is admissible in a court of law. The last verified backup will not copy everything and will not provide a forensic quality image for investigative work. Dumping memory runs the risk that swap files or other disk activities will alter disk-based evidence. Standard advice from law enforcement is to pull the power plug on the compromised server to maximize preservation of evidence. Backup servers may not have been compromised.

Answer 152

D is the correct answer. Justification The information security steering committee will be notified later, as required by corporate policy and regulatory requirements. Customers will be notified later, as required by corporate policy and regulatory requirements. Regulatory agencies will be notified later, as required by corporate policy and regulatory requirements. The data owners should be notified first, so they can take steps to determine the extent of the damage and coordinate a plan for corrective action with the computer incident response team.

Answer 153

D is the correct answer. Justification Senior management would be notified after confirmation of the incident. Monitoring traffic from the server could be initiated as part of the incident response process. Comparing the log files could be initiated as part of the incident response process. For a critical enterprise server, the incident management process should be started as soon as possible, which would be when an alert warns of unusual traffic.

Answer 154

D is the correct answer. Justification A vulnerability assessment identifies system weaknesses, not the intention and extent of an incident. A red team exercise is a replication of an attack in a controlled setting. However, it would not help to determine the impact of an attack in progress. Post-incident review is the last step in an incident response and is more likely to reveal lessons learned than to unveil the intention and extent of a cyberattack. Forensic analysis plays a vital role in investigation of a cyberattack. It includes analyzing the intrusion and summarizing the findings. Other options, such as vulnerability assessment, post-incident review and red team exercises, help in preventing a cyberattack but are not useful in the aftermath.

Answer 155

C is the correct answer. Justification Performing a vulnerability assessment takes place after the root cause of an incident has been determined to find new vulnerabilities, not to collect evidence. A digital rights management solution is not intended to support forensic analysis. The information security manager must follow procedures that preserve evidence, ensure a legally sufficient chain of custody and are appropriate to meet business objectives. The suspect media should never be used as the source for analysis. The source or original media should be secured and only used to create a bit-for-bit image.

Answer 156

D is the correct answer. Justification The information security manager should inform management but not before verifying the information. Users should be notified after the information security manager has verified the information and informed management. Isolating the server is not the first step that the information security manager should take. Before any action is taken, the information security manager should verify that there has been a breach.

Answer 157

B is the correct answer. Justification Switching the computer to safe mode will result in a state change, which may result in the loss of evidence. A bit-for-bit copy of the original media would best support forensic investigators in this situation. The investigators could compare the media in its current state against the bit-for-bit copy of the original media to search for discrepancies. Unplugging the system will result in a state change, which may result in the loss of evidence. Rebooting the system will result in a state change, which may result in the loss of evidence.

Answer 158

B is the correct answer. Justification Creating a forensic image of the device should be done only after ensuring the integrity of the device. A write blocker is used to maintain the integrity of the original storage media. It does so by preventing users from being able to write or modify information on the original storage media. Scanning a device for malicious software could modify the device, compromising its integrity. Modification of a device prior to creating a forensically sound image would compromise admissibility in a court of law.

Answer 159

C is the correct answer. Justification Documentation follows taking an image copy and may be supplementary. Notifying law enforcement follows taking an image copy, preserving evidence and maintaining the chain of custody. Taking an image copy of the media along with preserving any other evidence and maintaining the chain of custody is a recommended practice to ensure legal admissibility. Closing the accounts receivable system is not a practical solution.

Answer 160

C is the correct answer. Justification Not all information security incidents originate from the network; an intrusion detection system will provide no detection value for a variety of incident types. Diversifying the means of communication increases the odds that information reaches the people to whom it is sent, but it does nothing to ensure that the correct people receive the correct information at the correct time. An incident is not identified within an enterprise until it is declared, which is a business responsibility beyond the scope of the technical staff. A well-defined and structured communication plan ensures that information flows from the technical staff to decision makers in a timely fashion, allowing incidents to be recognized, declared and appropriately addressed. Reviewing logs provides an opportunity to identify irregular traffic patterns that may indicate an information security incident, but these logs provide insight into only a subset of attack vectors (e.g., external penetration would generally be covered, but insider threats may not). Additionally, if analysts who identify potentially revealing information do not have mechanisms in place to share those revelations with others in the enterprise, an effective response is less likely.

Answer 161

B is the correct answer. Justification While assigning responsibility for acquiring the data is a step that should be taken, it is not the first step or the highest priority. Locating the data and preserving data integrity are the first priorities. Creating a forensically sound image may or may not be a necessary step, depending on the type of investigation, but it would never be the first priority. Issuing a litigation hold to all affected parties might be a necessary step early in an investigation of certain types, but not the first priority.

Answer 162

B is the correct answer. Justification Forensic analysis will contaminate the evidence if performed on the original media. Forensic analysis must be performed only on a copy of the original media so that the evidence is uncontaminated as part of the investigation. A system reboot will contaminate the evidence. Forensic analysis can be performed on isolated and live systems.

Answer 163

A is the correct answer. Justification One of the first steps in an investigation is to create an image of the original hard drive. A physical copy will copy the data, block by block, including any hidden data blocks and hidden partitions that can be used to conceal evidence. Encryption is not required. Examining the hard drive is not good practice because it risks destroying or corrupting evidence. A logical copy will only copy the files and folders and may not copy other necessary data to properly examine the hard drive for forensic evidence.

Answer 164

A is the correct answer. Justification Validating that the condition is a true security incident is the necessary first step in determining the correct response. Notifying senior management could be part of the incident response process that takes place after confirming an incident. The containment stage would follow confirming the incident. Notifying law enforcement by the appropriate party could be part of the incident response process that takes place after confirming an incident.

Answer 165

A is the correct answer. Justification An enterprise must be able to detect the incident to respond, record and classify the incident. Even if response is not possible, detection allows stakeholders to be informed. Responding to an incident is an essential part of incident management, but it must be detected first. Incidents detected are typically classified based on impact. Incidents cannot be recorded unless detected.

Answer 166

B is the correct answer. Justification Removing the tape into the custody of law enforcement provides clear indication of who was in custody of the tape at all times. Because a number of individuals would have access to the tape library and could have accessed and tampered with the tape, the chain of custody could not be verified. Sealing the tape and locking it in a safe provides clear indication of who was in custody of the tape at all times. Handing the tape over to authorized independent investigators provides clear indication of who was in custody of the tape at all times.

Answer 167

C is the correct answer. Justification Deleted files that have not been physically overwritten can generally be retrieved using commonly available forensic tools. Partition tables can generally be retrieved using commonly available forensic tools. When the actual file content on the disk is overwritten, it generally cannot be recovered without significant resources and highly specialized tools; frequently, it cannot be recovered at all. Drives that have been high-level formatted can generally be retrieved using commonly available forensic tools.

Answer 168

C is the correct answer. Justification Whether a copy is compressed is irrelevant, and a straight copy operation will not include everything on the hard disk that is not identified by the operating system as a standard file. A copy of all files and directories will not be an image of the hard disk and will fail to copy a variety of data, including data between the end of a file and the end of the disk sector (“slack space”) and deleted files that have not been overwritten. There is no alternative to making a bit-for-bit copy. For legally sufficient evidence, only a bit copy will result in a true image of the hard drive. Whether the data are encrypted is not relevant, and copying all files and folders will miss certain data such as data between the end of a file and the end of the disk sector (slack space).

Answer 169

B is the correct answer. Justification Obtaining evidence as soon as possible is part of the investigative procedure but is not as important as preserving the integrity of the evidence. The integrity of evidence should be kept, following the appropriate forensic techniques to obtain the evidence and a chain of custody procedure to maintain the evidence (in order to be accepted in a court of law). Disconnecting involved IT equipment is part of the investigative procedure but is not as important as preserving the integrity of the evidence. Reconstructing the sequence of events is part of the investigative procedure but is not as important as preserving the integrity of the evidence.

Answer 170

B is the correct answer. Justification Every unsuccessful action simply wastes time; escalate and move on. Because the investigation process must have time constraints, if the initial team cannot find resolution in the plan time allotted, it should escalate the resolution to the next level and move on to system recovery. The activity in an incident response event should not stop until the root cause has been determined, but other teams may need to be called in to divide the work and complete the response plan. A disaster should not be declared until the event root cause has been determined or senior management has determined that the resolution will take longer than acceptable for a system outage.

Answer 171

C is the correct answer. Justification A bit-by-bit copy of the data is an imaging activity, and imaging of the volatile memory is not possible using this method. Both isolated and live systems can be forensically analyzed. Volatile data are only present while the computer is running. During an investigation, volatile data can contain critical information that would be lost if not first collected. For example, many types of malware are designed to be present in the computer’s memory when it is operating and to disappear when the computer is turned off, leaving no trace. Forensic analysis should never be done on original media and it will not provide information regarding volatile memory.

Answer 172

A is the correct answer. Justification Advanced persistent threat (APT) refers to stealthy attacks not easily discovered without detailed analysis of behavior and traffic flows. Security information and event management (SIEM) solutions analyze network traffic over long periods of time to identify variances in behavior that may reveal APTs. Stateful inspection is a function of some firewalls but is not part of a SIEM solution. A stateful inspection firewall keeps track of the destination Internet Protocol address of each packet that leaves the enterprise’s internal network. Whenever the response to a packet is received, its record is referenced to ascertain and ensure that the incoming message is in response to the request that went out from the enterprise. Zero-day attacks are not APTs because they are unknown until they manifest for the first time and cannot be proactively detected by SIEM solutions. A vulnerability assessment identifies areas that may potentially be exploited, but does not detect attempts at exploitation, so it is not related to APT.

Answer 173

B is the correct answer. Justification Rebooting the router would not be relevant. Information security should check the intrusion detection system (IDS) logs and continue to monitor the situation. It would be inappropriate to take any action beyond that. Updating the IDS could create a temporary exposure until the new version can be properly tuned. Enabling server trace routing is of no use.

Answer 174

D is the correct answer. Justification The system owner would need to be informed, but that is not the first thing an information security manager should focus on. The cause of the incident should be determined, if possible, but this would not be the first action to take. Turning the system off will result in a state change, which may result in the loss of forensic evidence. The priority in a data exfiltration situation would be to limit the damage by blocking outgoing traffic to the attacker’s servers.

Answer 175

C is the correct answer. Justification Incident response plans are reactive corrective controls and will not directly address the loss associated with a successful ransomware attack. User awareness will help reduce the possibility of a successful attack but will not help limit damage from a successful attack. Air-gapped backups are the best control to limit the damage because they are offline backups and would not be infected with the ransomware. These backups would allow the enterprise to recover data based on the recovery point objective. Disaster recovery plans are corrective controls and will not directly address the loss associated with a successful ransomware attack.

Answer 176

D is the correct answer. Justification Escalating the incident to senior management without first containing it will potentially increase the damage caused. The damage can be assessed only after the incident is contained or else the damage will increase further. The severity can be determined only after the incident is contained or else the damage will increase further. Once an incident and its source have been detected, the incident must be contained to prevent further spreading or damage.

Answer 177

B is the correct answer. Justification Conducting a detailed vulnerability assessment on affected areas is an eradication phase activity and may be too time consuming. Containment includes all the activities, tasks, and steps taken in the attempt to limit or reduce the impact of an incident. Isolating the affected systems or assets is the first action to contain the incident and limit its impact, depending on the nature of the incident. Incident handling resources are limited, and they must be used to the greatest benefit. This step is a detection and analysis activity, not a containment activity. Complete removal of any threat that was introduced to the environment during the incident is an eradication activity.

Answer 178

A is the correct answer. Justification Forensic evidence needs to be protected from damage or contamination. If the forensic evidence is lost or damaged after the incident is reported, then the downstream incident response will be inconclusive. The installation of vulnerability assessment tools aids in prevention of incidents but not containment. Enabling the computer logging mechanism after an incident will help in detecting future incidents, but not in containment efforts. The synchronization of system clocks supports incident investigation but will not contain the incident.

Answer 179

C is the correct answer. Justification Shutting off all network access points would create a denial of service that could result in loss of revenue. Dumping event logs, while useful, would not mitigate the immediate threat posed by the network attack. Isolating the affected network segment will mitigate the immediate threat while allowing unaffected portions of the business to continue processing. Enabling trace logging, while useful, would not mitigate the immediate threat posed by the network attack.

Answer 180

A is the correct answer. Justification Because ransomware spreads quickly and could damage more systems, the most effective response is to contain the incident by removing affected systems from the network. This option represents the containment phase, which is the first step after confirming the incident. The information security manager has a responsibility to protect the enterprise, so containment would be the priority in this situation. The time taken to notify system owners would allow the ransomware infection to spread to other systems. Notification would occur after containing the incident. Attempting to restore from to backups could allow the backups to be infected and would destroy evidence needed to investigate the incident. The uncontained ransomware infection would spread to other systems as the logs were reviewed.

Answer 181

D is the correct answer. Justification Applying patches does not significantly increase the level of difficulty. Changing access rules has no effect on eradication of malicious code. Upgrading hardware does not significantly increase the level of difficulty. If malicious code is not immediately detected, it will most likely be backed up as part of the normal tape backup process. When later discovered, the code may be eradicated from the device but still remain undetected on a backup tape. Any subsequent restores using that tape may reintroduce the malicious code.

Answer 182

D is the correct answer. Justification Informing all partners about the breach is not the first step in containing the incident. This action is part of the communication plan that is executed after understanding the impact of the breach. While shutting down the artificial intelligence (AI) model development system might seem like a good immediate reaction, it can disrupt business operations and might not be necessary if the breach is contained within a limited number of systems. Updating all systems with the latest security patches is a part of vulnerability management and could prevent future incidents, but it might not be effective in containing the current incident. Isolating the affected system and initiating a forensic analysis is the first step in containing the incident. This prevents the breach from spreading to other systems and allows the incident response team to begin the investigation.

Answer 183

B is the correct answer. Justification Notifying law enforcement should be performed after the containment plan has been executed. After an incident has been confirmed, containment is the first priority of incident response because it will generally mitigate further impact. Making an image copy of the media should be performed after the containment plan has been executed. Isolating affected servers is part of containment.

Answer 184

C is the correct answer. Justification Rebooting the router is not warranted. Powering down the demilitarized zone servers is not warranted. In the case of a probe, the situation should be monitored and the affected network segment isolated. Enabling server trace routing is not warranted.

Answer 185

A is the correct answer. Justification Safety of people always comes first; therefore, verifying access logs of personnel to the facility should be the first action in order to ensure that all staff can be accounted for. Calling the crisis management team together should be done after the initial emergency response (i.e., evacuation of people). Launching the disaster recovery plan is not the first action. Launching the business continuity plan is not the first action.

Answer 186

D is the correct answer. Justification The virus may start infecting other computers while the virus scan is running. Only when the impact to the IT environment is significant should it be reported to senior management. A case of virus infection does not warrant the action. Formatting the hard disk is the last resort. The first action should be to contain the risk (i.e., by disconnecting the computer so that it will not infect other computers on the network).

Answer 187

D is the correct answer. Justification Documentation is important, but it should follow containment. Monitoring is important and should be ongoing but does not limit the impact of the incident. Restoration follows containment. The first priority in responding to a security incident is to contain it to limit the impact.

Answer 188

B is the correct answer. Justification Before reporting to senior management, the extent of the exposure needs to be assessed. Before reporting to senior management, affected customers or the authorities, the extent of the exposure needs to be assessed. Reporting the incident to authorities is a management decision and not up to the security manager. Communication with affected customers is a management task and is not the responsibility of the security manager.

Answer 189

B is the correct answer. Justification Identifying the incident means verifying whether an incident has occurred and finding out more details about the incident. After an incident has been confirmed (identified), the incident management team should limit further exposure. Determining the root cause takes place after the incident has been contained. Performing a vulnerability assessment takes place after the root cause of an incident has been determined to check if the vulnerability has been addressed.

Answer 190

B is the correct answer. Justification There is no indication of infection and quarantining all picture files is unnecessary. Until signature files can be updated, incoming email containing picture file attachments should be blocked. Quarantine of all mail servers is unnecessary because only those emails containing attached picture files are in question. Blocking all incoming mail is unnecessary as long as picture files are blocked.

Answer 191

B is the correct answer. Justification Restoring servers is important; however, it is not related to containment and usually occurs after containment. There is a delicate balance between protecting evidence from an incident and containing an incident to prevent further impact. If evidence is destroyed, it may be difficult to determine the root cause and prosecute the attacker. Training employees is important; however, it is not related to containment and usually occurs as a protective measure. Updating management is important; however, it is not related to containment.

Answer 192

A is the correct answer. Justification When defining and establishing effective incident escalation processes, it is primarily relevant to state how long a team member should wait for an incident response and what to do if no response occurs. This is the necessary (initial) platform for all further steps of an effective escalation process. It is relevant to know how critical an incident is and which business units are impacted, but when establishing escalation processes, it is much more relevant to state how long a person should wait for a response and what to do if no response occurs. Communication to stakeholders is part of the incident response process, but it is more important to establish waiting times and alternative responses because time is of the essence. It is relevant to inform incident response team managers quickly, but initially it is more relevant to state how long a person should wait for a response and what to do if no response occurs.

Answer 193

C is the correct answer. Justification Recovery activities are performed after the successful eradication of an incident. Removal of the malicious software is eradicating the cause of the incident. Post-incident activities improve the response by documenting the lesson learned. Removing malicious software should occur before this phase. Malicious software should be removed at the eradication phase of incident response. Containment activities stop the damage, but they do not remove the cause, such as malicious software.

Answer 194

C is the correct answer. Justification Detailed guidance on communicating to regulatory authorities is just one of the many relevant types of information documented in the communication plan. If it is unclear who should communicate what to whom and how, the plan is inefficient. Whether to invoke the enterprise’s business continuity plan (BCP) may or may not be documented in the communication plan. One of the primary objectives of a communication plan is to inform staff members about their roles and responsibilities, including whom to contact and how to communicate with them during an incident. Keeping the communication plan updated will ensure that this information is current should an incident occur. Templates for incident communication are just one of the many relevant pieces of information documented in the communication plan. However, they are not of use if it is unclear who should use the templates and when.

Answer 195

A is the correct answer. Justification Proper messages need to be sent quickly through a specific identified person so that there are no rumors or statements made that may damage reputation. Refusing to comment until recovery is recommended until the message to be communicated is made clear and the spokesperson has spoken to the media. Referring the media to the authorities is not recommended. Reporting the losses and recovery strategy to the media is not recommended.

Answer 196

B is the correct answer. Justification Before notifying affected data subjects, it is a best practice to consult senior management first to determine what information can and should be communicated to external parties. Senior management is notified about the incidents affecting the organization’s business processes. Before reporting the incident to external parties, senior management needs to be consulted for approval of reporting content and time to report. Before notifying privacy regulators and external parties, senior management and internal legal counsel should be consulted to determine the next steps. The IT security manager may be notified later in the incident handling process depending on incident response activities.

Answer 197

A is the correct answer. Justification Close integration of information security governance with overall enterprise governance is likely to provide better long-term information security by institutionalizing activities and increasing visibility in all organizational activities. Increased budgets and staff may improve information security but will not have the same beneficial impact as incorporating security into the strategic levels of the enterprise’s operations. Control strength and compliance efforts must be balanced against business requirements, culture and other organizational factors and are best undertaken at the governance level. While technical security controls may improve some aspects of security, they will not address management issues or provide the enduring organizational changes needed for improved maturity levels.

Answer 198

B is the correct answer. Justification Risk management deals primarily with controls and is not a viable basis for the definition of escalation guidelines. A risk and impact analysis will be a basis for determining what authority levels are needed to respond to particular incidents. Assurance review reports and results, such as the description of reporting effectiveness, are primarily suited for the monitoring of stakeholder communications. The effectiveness of resources belongs to the description of reporting and communication and is not a viable basis for the definition of escalation guidelines.

Answer 199

B is the correct answer. Justification There are few, if any, circumstances in which the information security manager should contact external authorities directly. Communication regarding security events, particularly ones that have legal implications, is a business decision that is the responsibility of management. It is the decision of management to determine which stakeholders and external entities should be informed. This process should be detailed in the enterprise’s incident response communication plan. Human resources and legal would not be the only departments to engage in communications in this situation.

Answer 200

B is the correct answer. Justification A summary of security logs would be too technical to report to senior management. When reporting an incident to senior management, the initial information to be communicated should include an explanation of what happened and how the breach was resolved. An analysis of the impact of similar attacks would be desirable; however, it would be communicated later in the process. A business case for improving controls may be appropriate after investigating the cause of the breach

Answer 201

D is the correct answer. Justification Understanding severity levels is important but, on its own, is not sufficient to ensure that the information security manager is able to manage the incident effectively. Intrusion detection is a useful tool for detecting potential network security incidents, but without robust communication and reporting processes, it is less effective. Conducting awareness training so individuals can recognize potential incidents is important, but it is not effective unless the information is communicated to the right people in a timely manner. Timely communication and reporting are most likely to ensure that the information security manager receives the information necessary to effectively manage a security incident. Effective communication will also help ensure that the correct resources are engaged at the appropriate time.

Answer 202

D is the correct answer. Justification Security technologies are not typically the cause of substantial challenges in building effective security processes. Security policies rarely define all stakeholders and notification to stakeholders is typically outside the scope of initial incident management, making the definition of escalation paths a greater concern. Escalation processes are typically procedures. Control of incidents by process owners is not a primary requirement of effective security incident management. Inadequately defined escalation paths may result in lack of adequate authority, substantial delays, lack of notification of the appropriate individuals, and other significant negative impacts.

Answer 203

C is the correct answer. Justification The information security steering committee will be notified later, as required by corporate policy requirements. Customers will be notified later, as required by corporate policy and regulatory requirements. The data owners should be notified first, so they can take steps to determine the extent of the damage and coordinate a plan for corrective action with the computer incident response team. Regulatory agencies will be notified later, as required by corporate policy and regulatory requirements.

Answer 204

A is the correct answer. Justification Providing procedures on disseminating internal and external communications is the purpose of establishing a crisis communication plan. While a crisis communication plan may reduce the overall impact of a cybersecurity incident, such as reputational damage, it does not minimize the loss of information or data from a major cybersecurity incident, which is the objective of incident response. Details on how and when to contact cyberinsurance providers are typically included in a communication plan for all types of incidents. Communication with the media is only one part of the crisis communication plan.

Answer 205

D is the correct answer. Justification Timely communication and reporting is only useful after identification of an incident has occurred. Understanding how to establish severity levels is important, but it is not the essential element for ensuring that the information security manager is aware of anomalous events that might signal an incident. Intrusion detection systems are useful for detecting IT-related incidents but are not useful for identifying other types of incidents such as social engineering or physical intrusion. Ensuring that employees have the knowledge to recognize and report a suspected incident is most likely to result in identification of security incidents.

Answer 206

D is the correct answer. Justification A summary of security logs would be too technical to report to the chief information officer (CIO). An analysis of the impact of similar attacks would be helpful but is not the most important item to report. A business case for implementing stronger controls would be helpful to report to management, but it is not the most important item to report and would follow reporting impact and corrective actions. The actual impact to the enterprise and corrective actions taken would be the most important item to share with the CIO.

Answer 207

D is the correct answer. Justification Although a communication plan helps increase awareness, it is not the most important reason. Meeting compliance requirements may be a requirement in some cases, but it is not the most important reason for communication regarding incidents. Communication flows are part of the communication plan to improve the resolution of the incident. The overall goal of the communication plan is to improve incident response. Effective communication helps stakeholders respond to the incident.

Answer 208

C is the correct answer. Justification Copying sample files as evidence is not advisable because it breaches confidentiality requirements on the file. Removing access privileges to the folder containing the data should be done by the data owner or by the security manager in consultation with the data owner—frequently the security manager would not have this right; regardless, this would be done only after formally reporting the incident. The data owner should be notified prior to any action being taken. Training the human resources team on properly controlling file permissions is the method to prevent such incidents in the future, but this should take place after the incident reporting and investigation activities are completed.

Answer 209

C is the correct answer. Justification While employee understanding of how to respond to an incident is important, it is not the primary reason for communication in incident response. Effective communication alone does not prevent, or ensure the prevention of, a security breach or incident. Communication in incident response ensures that all relevant parties are informed and can take appropriate action. Communication is just one component of a comprehensive incident response plan and may not save time or reduce costs during the incident response.

Answer 210

D is the correct answer. Justification The breach must be contained prior to developing plans for recovery. Before lessons learned can be documented, the threat must be eradicated. Developing a plan to prevent future breaches is part of the lessons learned phase. The threat must be first eradicated to prevent further losses to the enterprise. Malware must be removed before systems can be recovered. If not, malware could be reintroduced to the environment during the recovery phase.

Answer 211

C is the correct answer. Justification The ability to resume normal operations is situational and would not be a standard for acceptability. While the maximum tolerable outage, in addition to many other factors, is part of a service delivery objective (SDO), it does not by itself address the acceptability of a specific level of operational recovery. A prior determination of acceptable levels of operation in the event of an outage is the SDO. The SDO may be set at operation levels that are less than normal but sufficient to sustain essential business functions. While the acceptable interruption window, in addition to many other factors, is part of an SDO, it does not by itself address the acceptability of a specific level of operational recovery.

Answer 212

C is the correct answer. Justification Disaster declaration occurs at the beginning of this period. Recovery of the backups occurs shortly after the beginning of this period. The recovery time objective (RTO) is based on the amount of time required to restore a system. Return to business as usual processing occurs significantly later than the RTO. RTO is an objective, and full restoration may or may not coincide with the RTO. RTO can be the minimum acceptable operational level, far short of normal operations.

Answer 213

B is the correct answer. Justification Containment includes finding what the incident has impacted and limiting the extent that it spreads across the network by isolating impacted systems or shutting them down after necessary evidence is collected. Eradicating the incident requires determining and eliminating the root cause so that it cannot cause further damage. Actions required to completely remove the incident threat from the network or systems include cleaning infected files, changing rules and configurations, and making backups in order to mitigate incident impacts. Restoring the system is simply returning the system to normal operations. This is accomplished after eradication and during recovery phase of incident. Identifying, confirming, categorizing and assigning a priority to an incident are performed during the detection phase of incident response.

Answer 214

A is the correct answer. Justification It is important to prevent a disaster that could affect both sites, and ensuring that the primary and offsite facilities are not subject to the same environmental disasters addresses this concern. The distance between sites may be important in cases of widespread disasters; however, this is covered by ensuring that the same environmental disasters do not affect the primary and offsite facilities. The costs are a secondary criterion for selection. A cost-effective media transport service may be a consideration but is not the main concern.

Answer 215

C is the correct answer. Justification Transaction turnaround time may be a concern when the effectiveness of an application system is evaluated. Normally it is not the main agenda in the restoration stage. Mean time between failures (MTBF) is the predicted elapsed time between inherent failures of a system during operation. MTBF is not a factor in determining restoration of data. The service delivery objective (SDO) relates directly to the business needs; SDO is the level of services to be reached during the alternate process mode until the normal situation is restored. The duration of a data restoration job may be of secondary importance. The strategic importance of data should be considered first.

Answer 216

B is the correct answer. Justification Disaster declaration is independent of this processing checkpoint. The recovery point objective is the point in the processing flow at which system recovery should occur. This is the predetermined state of the application processing and data used to restore the system and to continue the processing flow. Restoration of the system can occur at a later date. After-image processing can occur at a later date.

Answer 217

C is the correct answer. Justification Changing the root password of the system does not ensure the integrity of the mail server. Implementing multifactor authentication is an after measure and does not clear existing security threats. Rebuilding the system from the original installation medium is the only way to ensure all security vulnerabilities and potential stealth malicious programs have been destroyed. Disconnecting the mail server from the network is an initial step but does not guarantee security.

Answer 218

C is the correct answer. Justification Upgrading the training model to the latest version might improve the performance of the artificial intelligence (AI) system, but it does not directly prevent malware infections. The security of the system is not typically dependent on the version of the AI model used. Increasing iterations of data sampling might improve the accuracy of the AI model, but it does not directly prevent malware infections. The security of the system is not typically dependent on the data sampling methods used in AI model training. Updating all systems with the latest security patches is a part of the recovery process and could prevent future similar incidents. It ensures that the systems are protected against known vulnerabilities that could be exploited. While input validation is an important part of secure coding practices to prevent certain types of attacks, such as injection attacks, the most crucial action after a malware infection is to update all systems with the latest security patches to protect against known vulnerabilities.

Answer 219

D is the correct answer. Justification Updating the risk register is important but should be done after restoring systems to their operational state. Conducting a post-incident review should be done after restoring the systems to their operational state. Updating the incident response plan should be done after restoring systems to their operational state. Once the containment has been completed, system operations must be restored to ensure business continuity.

Answer 220

B is the correct answer. Justification Servers may not have been affected, so it is not necessary at this point to rebuild any servers. An assessment should be conducted to determine the overall system status and whether any permanent damage occurred. An impact analysis of the outage will not provide any immediate benefit. Isolating the screened subnet is after the fact and will not provide any benefit.

Answer 221

A is the correct answer. Justification The first action is to validate that clear incident definition and severity criteria are established and communicated throughout the enterprise. A training program will not be effective until clear incident identification and severity criteria have been established. The steering committee may become involved after incident criteria have been clearly established and communicated. Enforcement activities will not be effective unless incident criteria have been clearly established and communicated.

Answer 222

D is the correct answer. Justification Rebuilding from the last known verified backup poses the risk that the verified backup may have been compromised by the super-user at a different time. Placing the web server in quarantine should have already occurred in the forensic process. The step of shutting down in an organized manner is out of sequence and no longer a problem. The forensic process is already finished and evidence has already been acquired. The original media should be used because one could never find and eliminate all the changes a super-user may have made or the timelines in which these changes were made.

Answer 223

B is the correct answer. Justification Quickly restoring service will not always be the best option, such as in cases of criminal activity, which require preservation of evidence precluding use of the systems involved. Problem management is focused on investigating and uncovering the root cause of incidents, which will often be a problem when restoring service compromises the evidence needed. Managing risk goes beyond the quick restoration of services (e.g., if doing so would increase some other risk disproportionately). Forensics is concerned with legally adequate collection and preservation of evidence, not with service continuity.

Answer 224

B is the correct answer. Justification Storing backup media offsite improves the odds that they will be available to use for recovery activities, but it also increases the amount of time needed to complete the recovery. In a situation in which the primary concern is the financial impact of downtime, an offsite media storage contract is not helpful. Business interruption insurance does not help restore operations, but it does compensate a business for the financial impact associated with interruption. In this scenario, the financial impact of downtime is the primary concern; therefore, insurance is an appropriate compensating control. An architecture that provides for real-time failover prevents financial impact from downtime, but it does so at significant cost. An enterprise that is primarily concerned with financial impact (rather than operational efficiency or other concerns) is unlikely to accept this higher cost because the other benefits associated with real-time failover are not seen as justified. A disaster recovery plan aids an enterprise in performing the steps needed to return to normal operations after a disaster, but even a clearly drafted and tested plan does not compensate for the financial impact of downtime, and many information security incidents have impacts that do not meet the disaster threshold.

Answer 225

C is the correct answer. Justification The recovery point objective (RPO) is determined based on the acceptable data loss in case of a disruption of operations. It indicates the earliest point in time that is acceptable to recover the data. The RPO effectively quantifies the permissible amount of data loss in case of interruption. The recovery time objective is the target time to restore services to either the service delivery objective (SDO) or normal operations. The SDO is the agreed-on level of service required to resume acceptable operations. Maximum tolerable outage is the maximum length of time that the enterprise can operate at the recovery site.

Answer 226

D is the correct answer. Justification Proximity to hazards is not a primary consideration in conducting a business impact analysis. Proximity to hazards is not a primary consideration in conducting a table-top business continuity test. Proximity to hazards is not a primary consideration in developing disaster recovery metrics. Proximity to the primary site, the scope of potential hazards, and their possible impact on the recovery site are important considerations when selecting the location of a recovery site.

Answer 227

A is the correct answer. Justification Eradication includes the activities, tasks, and steps taken to correct the root cause of the incident. Incident response teams first conduct root cause analysis at this stage to determine the underlying causes of an incident and find a solution in order to prevent recurrence of the problem. The main objective of the incident containment phase is to prevent and stop an incident spreading to other enterprise resources and assets as fast as possible. Therefore, it is too early to conduct a root cause analysis at this stage. The incident recovery phase needs a remediated root cause in order to effectively perform recovery activities and restore the enterprise to normal operational activities. The post-incident phase is part of incident management, not part of incident response. If the root-cause analysis performed in the containment phase was not successful, a second root-cause analysis can be performed in the post-incident assessment.

Answer 228

A is the correct answer. Justification A demonstrated ability to restore data is the best way to ensure that data can be restored after a disaster, and data drive the majority of business processes. If an enterprise is unable to restore its data, it will be of little value to have other considerations in place. On the other hand, if data can be restored, the enterprise can likely find workarounds for other challenges that it may face. Having a warm site speeds up the process of disaster recovery by providing the facilities and equipment where data can be restored and operations reconstituted. However, if the data themselves cannot be restored, having the facilities and equipment will not be nearly as useful. Performing data backups on a daily or other periodic basis is a good practice, but it is not until recovery is attempted that an enterprise gains knowledge of whether these backups are effective. Should the enterprise diligently perform backups for months or years and then discover that it cannot restore the data, all the time and expense of the backup program will have been wasted. Recovery procedures are documented in the disaster recovery plan rather than in the incident response plan.

Answer 229

A is the correct answer. Justification Recovery time objective is the length of time from the moment of an interruption until the time the process must be functioning at a service level sufficient to limit financial and operational impacts to an acceptable level. Maximum tolerable outage is the maximum time for which an enterprise can operate in alternate mode. Recovery point objectives relate to the age of the data required for recovery. Service delivery objectives are the levels of service required for acceptable operations.

Answer 230

C is the correct answer. Justification The incident should be documented in detail in the incident log. A communication plan would dictate how details of the incident should be reported to stakeholders. The primary objective of a root-cause analysis is not to pass an audit or to satisfy the auditors. Root-cause analysis is performed to understand how to prevent the incident from reoccurring in the future or to reduce the impact of similar incidents if they happen in the future. The primary objective of root-cause analysis is to understand more about the incident and how to avoid it in the future or reduce its impact. Informing senior management is only a byproduct of the analysis.

Answer 231

C is the correct answer. Justification A vulnerability assessment will identify the existing vulnerabilities in the system. However, reoccurrence of threats depends upon the controls and corrective actions that are implemented. Automated log monitoring helps in the early detection of an incident but may not indicate the possibility of reoccurrence. A root cause analysis determines the vulnerabilities exploited by threats and how they were exploited. Based on the analysis, the information security manager may suggest corrective actions to prevent future exploitation. Forensic investigations could help determine the method of attack and the actor that launched the attack but may not provide an indication on reoccurrence.

Answer 232

C is the correct answer. Justification Monitoring may cause incident duration to become longer, as each event is investigated and possibly escalated for further remediation. Risk tolerance is a determination made by senior management based on the results of a risk analysis and the amount of risk senior management believes the enterprise can manage effectively. Risk tolerance will not change from implementation of a monitoring process. When a key process is not monitored, that lack of monitoring may lead to a security vulnerability or threat going undiscovered, resulting in a security incident. Once consistent monitoring is implemented, identification of vulnerabilities and threats will improve. Monitoring itself is simply an identification and reporting tool; it has little bearing on how information is escalated to other staff members for investigation and resolution.

Answer 233

B is the correct answer. Justification Recording incidents helps in providing evidence of forensic analysis in case legal action is required. Providing evidence for forensic analysis may or may not be the primary requirement for all incidents. Recording information security incidents helps in maintaining a record of events from detection of the incident to closure of the incident. This helps the incident management teams to ensure that all related aspects required for resolving, closing and preventing reocurrence of incidents are covered. Recording incidents helps in identifying all required parameters for determining a severity classification; however, incident management is focused on containment, prevention and recovery. Tracking errors to assign accountability is not the primary purpose for recording details of information security incidents. Process improvement is the primary purpose.

Answer 234

C is the correct answer. Justification Because the virus was reported and eradicated, there is no reason to suspect that the intrusion detection system is misconfigured. The first step is to determine the entry path so the investigation can identify which controls failed. Information on type and payload of the virus is a secondary consideration because eradication has been concluded. To prevent the recurrence, the security manager must find out how the virus entered the system and implement required controls. The origin of the virus is not immediately actionable information and is not necessarily relevant.

Answer 235

A is the correct answer. Justification Following the eradication phase, the enterprise needs to understand the cause of the incident to ensure that it implements appropriate additional controls, fixes control lapses and is able to start the recovery process. Before systems are restored, the enterprise must first identify the cause. Before changes can be implemented, the cause of the incident must be understood. Preventing reoccurrence is an important part of the lessons learned phase. Analysis is needed before the enterprise can protect against future breaches.

Answer 236

B is the correct answer. Justification A penetration test is a simulated cyberattack against one’s computer system to check for exploitable vulnerabilities. Penetration testing reports vary by type and scope and may not contain information about malware or overall weaknesses in the enterprise’s network and systems. A root cause analysis exposes the main causes of problems to identify appropriate solutions. Conducting a root cause analysis is the best course of action because it is an extensive investigation that considers the results of all the other choices. Vulnerability scans offer information pertaining to the target’s known vulnerabilities. Although they could be useful in determining the source, they themselves are not the best answer. A compliance check scans the target and assesses compliance based on the standards selected for the scan.

Answer 237

A is the correct answer. Justification Consistent achievement of recovery time objectives during testing provides the most objective evidence that business continuity plan/disaster recovery plan (BCP/DRP) objectives have been achieved. Objective testing of the BCP/DRP will not serve as a basis for evaluating the alignment of the risk management process in business continuity/disaster recovery planning. If the recovery point objective is inadequate, the objectives of BCPs have not been achieved. Mere valuation and assignment of information assets to owners (according to the BCP/DRP) will not serve as a basis for evaluating the alignment of the risk management process in business continuity/disaster recovery planning.

Answer 238

B is the correct answer. Justification Evaluating the relevance of evidence is not the primary purpose for a post-incident review because it should have been established during the response to the incident. Post-incident reviews are beneficial in determining ways to improve the response process through lessons learned from the attack. Identifying who launched the attack is not the primary purpose for a post-incident review because it should have been established during the response to the incident. Identifying what areas were affected is not the primary purpose for a post-incident review because it should have been established during the response to the incident.

Answer 239

A is the correct answer. Justification Post-incident reviews conducted after each incident help determine the gaps and opportunities in the actual incident response processes. Post-incident review results will enable the enterprise to discuss the lessons learned from the incident and introduce possible improvements with the current incident response process. Documented incident response procedures help conduct effective incident response activities, but if the team does not follow the documentation or there are issues regarding incident response resource capabilities, documentation alone does not help improve the incident response process. Incident response plan walkthroughs are a type of paper test conducted by team members for the incident response plan procedures. A walkthrough is not very reliable, and it is not sufficient to find gaps and shortcomings in the incident response process. Training helps team members with how to properly conduct the incident response activities but will not improve the process itself.

Answer 240

A is the correct answer. Justification It is always desirable to avoid the conflict of interest involved in having the information security team carry out the post-incident review. Obtaining support for enhancing the expertise of the third-party teams is one of the advantages but is not the primary driver. Identifying lessons learned for further improving the information security management process is the general purpose of carrying out the post-incident review. Obtaining better buy-in for the information security program is a secondary reason for involving third-party teams.

Answer 241

D is the correct answer. Justification The post-incident review should address any training needs and personnel that played a role in the event, but this is not the primary objective. Documenting the event should have been conducted during the incident. The post-incident review will rely on the documentation to learn what happened and the chronology of events. It is important to ensure that all damage has been fixed, but this should have been done before the post-incident review. During the incident, efforts may have been focused on getting the business back up and running; the post-incident review should ensure that the root cause of the incident is identified and addressed.

Answer 242

D is the correct answer. Justification Forensic evidence should have been gathered earlier in the process. A post-incident review should not focus on finding and punishing individuals who did not take appropriate action or on learning the identity of the attacker. Although a post-incident review can be used to prepare a report/presentation to management, it is not the primary goal. The primary goal of a post-incident review is to derive ways in which the incident response process can be improved.

Answer 243

C is the correct answer. Justification Adjusting budget provisioning is secondary. Forensic data should already be preserved and is not part of post-incident review. The primary objective is to find any weakness in the current process and improve it. The incident should have been fully documented prior to conducting the post-incident review; ensuring its completeness is secondary.

Answer 244

A is the correct answer. Justification Although some corrective actions were taken by the security team and the incident response team, management review will establish whether any other corrective actions needed to be taken. Sometimes this will result in improvements to information security policies. Management will not review information security incidents merely to demonstrate management commitment. Management will not perform a review for fault findings such as examining the incident response process for deficiencies. Management will not perform a review for fault findings such as evaluating the ability of the security team.

Answer 245

A is the correct answer. Justification The main purpose of a post-incident review is to identify areas of improvement in the process. Developing a process for continuous improvement is not the objective of a post-incident review. Developing a business case for the security program budget may be supported by the analysis of the incident but is not the key objective. Identifying new incident management tools may come from the analysis of the incident but is not the key objective.

Answer 246

C is the correct answer. Justification A full interruption test, in which operations are shut down at the primary site and shifted to the recovery site, is the most stringent form of response and recovery testing, but it is potentially disruptive. Even though the enterprise in this scenario might accept the cost of such a test, the need for continuous operations makes it inappropriate. Simulation testing addresses people and processes but does not address startup recovery-site operations; therefore, it provides a lower level of assurance than a parallel test would provide. The enterprise in this scenario requires continuous operations. A parallel test, in which operations are brought online at the recovery site alongside primary-site operations, is the closest an enterprise can come to full testing without risking a business impact; therefore, it is the best fit for the requirement. Structured walk-throughs are pen-and-paper activities. A walk-through may help identify constraints, deficiencies and opportunities for enhancement, but the level of assurance it provides is low relative to a parallel test.

Answer 247

C is the correct answer. Justification Purchasing additional tools does not have an impact on organizational culture as this is the responsibility of the incident response team. Following documented procedures is the responsibility of the incident response team and does not improve the overall organizational learning culture. The performance of staff and management during an incident is proportional to their level of awareness of the incident response process. Deficiencies in these areas could reveal opportunities for improvement and additional training. Proposed corrective actions encompass the entire incident response process; hence, these actions may or may not impact the organizational learning culture.

Incident Management Flashcards

(271 cards)