Incident Management Flashcards
To ensure the timely identification of security incidents, the BEST course of action is to:
A.document a business impact analysis.
B.review a risk analysis.
C.implement incident detection.
D.apply preventive and detective controls.
C is the correct answer.
Justification
The business impact analysis identifies and analyzes business processes and activities with the objective of understanding the impact of downtime, which drives the assignment of recovery objectives and prioritization. Downtime is a variable bound with the availability requirement in the information security scope.
Risk analysis does not ensure the timely identification of information security incidents. The incident process performance deals with timely operations. Risk analysis is mainly concerned with calculating the probability and impact of a potential risk.
Incident detection provides timely notification of an incident and could ensure the timely triggering and identification of incidents. Subsequently, implementing incident detection ensures proper incident response, reducing impacts to within acceptable levels.
Incident management is built on reactive controls because it must handle effects not manageable with preventive controls. Detective controls represent a wide range of countermeasures and do not ensure timely identification and handling of incidents.
To justify the establishment of an incident management team, an information security manager would find which of the following to be the MOST effective?
A.Assessment of business impact of past incidents
B.Need for an independent review of incident causes
C.Need for constant improvement on the security level
D.Possible business benefits from incident impact reduction
D is the correct answer.
Justification
The assessment of business impact of past incidents would need to be completed to articulate the benefits.
Having an independent review benefits the incident management process.
The need for constant improvement on the security level is a benefit to the enterprise.
Business benefits from incident impact reduction would be the most important goal for establishing an incident management team.
When properly tested, which of the following would MOST effectively support an information security manager in handling a security breach?
A.Business continuity plan
B.Disaster recovery plan
C.Incident response plan
D.Vulnerability management plan
C is the correct answer.
Justification
A business continuity plan would be triggered during the execution of the incident response plan in case it developed into a disaster causing serious business interruption.
A disaster recovery plan would be triggered during the execution of the incident response plan if it developed into a disaster.
An incident response plan documents the step-by-step process to follow, along with the related roles and responsibilities pertaining to all parties involved in responding to an information security breach.
A vulnerability management plan is a procedure to address technical vulnerabilities and mitigate the risk through configuration changes (patch management).
Which of the following measurements is integrated into the incident response plan by this statement: “If the database is corrupted by an incident, the backup at the close of work on the previous day should be restored”?
A.The recovery time objective
B.The recovery point objective
C.The service delivery objective
D.The maximum tolerable outage
B is the correct answer.
Justification
The recovery time objective (RTO) is the amount of time allowed for the recovery of a business function or resource after a disaster occurs. The statement does not mention the time for the restoration to be concluded.
The recovery point objective (RPO) is determined based on the acceptable data loss in case of a disruption of operations. It indicates the earliest point in time that is acceptable to recover the data. The RPO effectively quantifies the permissible amount of data loss in case of interruption. The statement allows for the loss of current day’s data.
Directly related to the business needs, the service delivery objective (SDO) is the level of services to be reached during the alternate process mode until the normal situation is restored. The SDO is the acceptable level of service within the RTO.
The maximum tolerable outage is the maximum time that an enterprise can support processing in alternate mode.
When establishing a new incident management team whose members will serve on a part-time basis, which of the following means of training is MOST effective?
A.Formal training
B.Mentoring
C.On-the-job training
D.Induction
A is the correct answer.
Justification
Formal training is a good choice when everyone is new because it does not assume any prior knowledge and ensures that everyone covers the same material.
Mentoring is most effective when senior members of an established team can be paired with new members. It does not work well when everyone is new.
On-the-job training is a suitable choice when the material to be learned is part of the participants’ everyday duties. For an incident management team comprised of part-time members, there will be limited opportunities to train in the course of regular, day-to-day activities.
Induction provides a basic overview of incident management team activities and serves as a basis for further training. By itself, it is not an effective means of training.
Which of the following choices includes the activity of evaluating the computing infrastructure by performing proactive security assessment and evaluation?
A.A disaster recovery plan
B.A business continuity plan
C.An incident management plan
D.A continuity of operations plan
C is the correct answer.
Justification
A disaster recovery plan is a set of human, physical, technical and procedural resources to recover, within a defined time and cost, an activity interrupted by an emergency.
A business continuity plan is a plan used by an enterprise to respond to disruption of critical business processes. It depends on the contingency plan for restoration of critical systems.
This activity is part of the protect phase of the incident management planning process flow.
A continuity of operations plan is an effort within individual executive departments and agencies to ensure that primary mission-essential functions continue to be performed during a wide range of emergencies, including localized acts of nature, accidents and technological or attack-related emergencies.
Who would be in the BEST position to determine the recovery point objective for business applications?
A.Business continuity coordinator
B.Chief operations officer
C.Information security manager
D.Internal audit
B is the correct answer.
Justification
It would be inappropriate for a business continuity coordinator to determine the recovery point objective (RPO) because that role is not directly responsible for the data or the operation.
The RPO is the processing checkpoint to which systems are recovered. In addition to data owners, the chief operations officer is the most knowledgeable person to make this decision.
It would be inappropriate for the information security manager to determine the RPO because that role is not directly responsible for the data or the operation.
It would be inappropriate for internal audit to determine the RPO because that role is not responsible for the data or the operation.
Which of the following is a key component of an incident response policy?
A.Updated call trees
B.Escalation criteria
C.Press release templates
D.Critical backup files inventory
B is the correct answer.
Justification
Call trees are too detailed, change too frequently and are not a part of policy.
Escalation criteria, indicating the circumstances under which specific actions are to be undertaken, should be contained within an incident response policy.
Press release templates are too detailed to be included in a policy document.
Lists of critical backup files are too detailed to be included in a policy document.
Addressing the root cause of an incident is one aspect of which of the following incident management processes?
A.Eradication
B.Recovery
C.Lessons learned
D.Containment
A is the correct answer.
Justification
Determining the root cause of an incident and eliminating it are key activities that occur as part of the eradication process.
Recovery focuses on restoring systems or services to conditions specified in service delivery objectives (SDOs) or business continuity plans (BCPs).
Lessons learned are documented at the end of the incident response process, after the root cause has been identified and remediated.
Containment focuses on preventing the spread of damage associated with an incident, typically while the root cause either is still unknown or is known but cannot yet be remediated.
The triage phase of the incident response plan provides:
A.a snapshot of the current status of all incident activity reported.
B.a global, high-level view of the open incidents.
C.a tactical review of an incident’s progression and resolution.
D.a comprehensive basis for changes to the enterprise architecture.
A is the correct answer.
Justification
Triage gives a snapshot based on both strategic and tactical reviews for the purposes of assigning limited resources to where they can be most effective.
Triage addresses the tactical level of the incident to be able to determine the best path to resolution and does not focus exclusively on the high-level view.
Triage provides a view of both the tactical and strategic levels and occurs prior to resolution.
Triage occurs before root-cause analysis, so it does not provide a comprehensive basis for changes to the enterprise architecture.
Which of the following would be the BEST indicator of the readiness of the incident response team in the context of the overall incident management program?
A.Amount of time for incident detection
B.Time between incident detection and severity determination
C.Time between detection and response
D.Amount of time between incident occurrence and its resolution
C is the correct answer.
Justification
The time to detect is a measure of detection capability, which is typically provided by automated controls.
Time between detection and determining severity is a part of response.
Readiness is the time it takes from detection to initiate a response. The first time that the incident response team typically becomes aware of an event is when an alert is provided by monitoring mechanisms.
Time between incident and resolution is a function of response capability.
The purpose of incident management and response is to:
A.recover an activity interrupted by an emergency or disaster within defined time and cost parameters.
B.perform a walk-through of the steps required to recover from an adverse event.
C.reduce business disruption insurance premiums for the business.
D.address disruptive events with the objective of controlling impacts within acceptable levels.
D is the correct answer.
Justification
This is the definition of a disaster recovery plan (DRP). The incident response process is sequentially the first response to an adverse event with aims of preventing the incident from escalating to a disaster.
A DRP table-top test or walk-through is performed to exercise the DRP in a test scenario to determine whether the steps that the enterprise needs to take to recover are reliably documented.
Business disruption insurance is an instrument of the risk management strategy to diversify and distribute the costs associated with an adverse event to a third party. Business insurance premiums are not dependent on incident management and response.
Incident management and response is a component of business continuity planning. As a first response to adverse events, the objective of incident management and response is to prevent incidents from becoming problems and to prevent problems from becoming disasters.
What is the FIRST action an information security manager should take when a company laptop is reported stolen?
A.Evaluate the impact of the information loss.
B.Update the corporate laptop inventory.
C.Initiate appropriate incident response procedures.
D.Disable the user account immediately.
C is the correct answer.
Justification
Evaluating the impact of the information loss would be a part of incident response procedures.
Updating inventory is of minor significance and can be done anytime.
The first step is to initiate incident response procedures.
Disabling the user account would be addressed as a part of incident response.
Which of the following needs to be MOST seriously considered when designing a risk-based incident response management program?
A.The chance of collusion among staff
B.Degradation of investigation quality
C.Minimization of false-positive alerts
D.Monitoring repeated low-risk events
D is the correct answer.
Justification
In general, any control practice is vulnerable to collusion, and if an incident is carefully crafted among a number of staff, it is hard to detect. However, successful collusion is not common.
As long as it is well-defined, it is unlikely that the quality of incident investigation will fall short.
A risk-based approach may not guarantee the minimization of false-positive alerts.
A risk-based approach focuses on high-risk items. Those attempting to commit fraud may take advantage of its weaknesses. When risk-based monitoring is in place, there is a higher chance of overlooking low-risk activities. Even though the impact of a low-risk event is small, it may not be possible to ignore the accumulated damage from its repeated occurrence. Therefore, it is essential to review the chance of the repeated occurrence of low-risk events.
Which of the following documents should be contained in a computer incident response team manual?
A.Risk assessment
B.Severity criteria
C.Employee phone directory
D.Table of all backup files
B is the correct answer.
Justification
Risk assessments would be available to the response team. However, they typically change at least annually, so it would not make sense to include them in the manual.
Severity criteria will remain relatively static and is the only one of the choices that is appropriate for the manual. The other choices will change frequently, and it would not make sense to reprint the manual every time phone numbers or backup files change.
A phone directory will change frequently and would not be included in the manual.
A table of backup files would typically be very large and change frequently and would not be included in the manual.
While defining incident response procedures, an information security manager must PRIMARILY focus on:
A.closing incident tickets in a predetermined time frame.
B.reducing the number of incidents.
C.minimizing operational interruptions.
D.meeting service delivery objectives.
D is the correct answer.
Justification
Closing tickets is not a priority of incident response.
Reducing the number of incidents is the focus of overall incident management.
Minimizing the impact on operations is not necessarily the primary focus. Some disruption in operations may be within acceptable limits.
The primary focus of incident response is to ensure that business-defined service delivery objectives are met.
Which of the following actions is MOST important when a server is infected with a virus?
A.Isolate the infected server from the network.
B.Identify all potential damage caused by the infection.
C.Ensure that the virus database files are current.
D.Establish security weaknesses in the firewall.
A is the correct answer.
Justification
The priority in this event is to minimize the effect of the virus infection and to prevent it from spreading by removing the infected server from the network.
After the network is secured from further infection, the damage assessment can be performed.
The virus signature files should be updated on a regular basis regardless of when a server was infected.
Detecting a virus infection is a function of the antivirus software and generally unrelated to weakness in the firewall.
The PRIMARY objective of incident response is to:
A.investigate and report results of the incident to management
B.gather evidence.
C.minimize business disruptions.
D.assist law enforcement in investigations.
C is the correct answer.
Justification
Investigating and reporting results of the incident is a responsibility of incident response teams but not the primary objective.
Gathering evidence is an activity that an incident response team may conduct, depending on circumstances, but not a primary objective.
The primary role of incident response is to detect, respond to and contain incidents so that impact to business operations is minimized.
Assisting law enforcement is an activity that an incident response team may conduct, depending on circumstances, but not a primary objective.
The MOST important purpose of implementing an incident response plan is to:
A.prevent the occurrence of incidents.
B.ensure business continuity.
C.train users on resolution of incidents.
D.promote business resiliency.
D is the correct answer.
Justification
The incident response plan is a means to respond to an event but does not prevent the occurrence.
Business continuity plans, not incident response plans, are designed to restore business operations after a disaster; they cannot assure the actual outcome.
The incident management plan may address training users, but the incident response plan does not.
Business resilience refers to the ability of the business to withstand disruption. An effective incident response plan minimizes the impact of an incident to the level that it ideally is transparent to end users and business partners.
The PRIMARY way in which incident management adds value to an enterprise is by:
A.reducing the overall threat level.
B.optimizing risk management efforts.
C.eliminating redundant recovery plans.
D.streamlining the reporting structure.
B is the correct answer.
Justification
Incident management focuses on prevention, containment and restoration activities and does not reduce the threat level.
Incident management is a component of risk management that can provide an optimal balance between prevention, containment and restoration.
Recovery plans are created by business and process owners. Incident management should ideally be integrated with continuity and recovery plans, but an enterprise does not seek to evaluate these plans for redundancy.
Reporting structures are typically created for business reasons. Incident management may play a role in clarifying or modifying the structures used for reporting incidents in particular, but streamlining the reporting structure is not the primary way in which incident management adds value to an enterprise.
The BEST time to determine who should notify external entities of an information security breach involving customer privacy data is:
A.after the incident has been detected and confirmed.
B.after the approval of the incident by senior management.
C.during the development of the incident response plan.
D.dependent on applicable laws and regulations.
C is the correct answer.
Justification
Determining roles and responsibilities during an incident is counterproductive and causes confusion.
Senior management does not approve incidents; incident response teams confirm them.
Responsibilities, including who should communicate what and how, should be established when the incident response plan is developed. This ensures that teams know their roles and responsibilities prior to an incident occurring.
Laws and regulations and requirements are part of the foundation of an incident response plan.
Which of the following benefits that the enterprise receives from employing a systematic incident management program with a formal methodology is MOST important?
A.A formal methodology makes incident management more flexible.
B.A formal methodology is more reliant on business continuity activities.
C.Each incident responder is able to get broad-based experience.
D.Evidence of due diligence supports legal and liability claims.
D is the correct answer.
Justification
The more formalized that something becomes, the less flexible it is.
A formal methodology is actually able to more easily operate as a stand-alone function, with less reliance on business continuity activities.
Having a formal methodology means that duties are generally assigned based on competence and availability of time.
Legal and liability claims are most credible when the mechanisms used to collect them are formally documented, repeatable and regularly practiced.
The information security manager identifies a vulnerability in a publicly exposed business application during risk assessment activities. The NEXT step to take is:
A.containment.
B.eradication.
C.analysis.
D.recovery.
C is the correct answer.
Justification
Containment is necessary when an incident is found to have occurred. Prior to analysis, the information security manager has no way of knowing whether an incident may have occurred in the past or might even still be underway, so analysis should precede containment.
Eradication is undertaken once an incident has been contained, which requires that it first be analyzed to determine its scope.
Identification of a vulnerability does not necessarily mean that an incident has occurred, but reliance on automated detection mechanisms when a vulnerability has been identified may allow any compromises that have already occurred to continue unimpeded. Analysis is appropriate to determine whether a threat actor may have already exploited the vulnerability and, if so, to determine the scope of the compromise.
Recovery is the last step taken before concluding an incident. At the time that a vulnerability is detected, there is no apparent impact, so recovery is not yet needed. Eradication and recovery will take place if an incident has occurred. However, it is important to first determine if an incident has taken place.
Which of the following is likely to be the MOST significant challenge when developing an incident management plan?
A.Misalignment between plan and organizational goals
B.Implementation of log centralization, correlation and event tracking
C.Development of incident metrics
D.Lack of management support and organizational consensus
D is the correct answer.
Justification
The incident management plan is a subset of the security strategy, which already aligns with organizational goals and, therefore, does not represent a major challenge.
Implementation of log centralization, correlation and event tracking is required, but it is not the most significant challenge.
Incident metrics must be developed, but they are straightforward and not a significant challenge.
Getting senior management buy-in is often difficult, but it is the necessary first step to move forward with any incident management plan.
In order to contain an incident, which of the following would be the MOST effective to ensure that the proper tools, technologies and subject matter experts are engaged?
A.process
B.team
C.plan
D.strategy
D is the correct answer.
Justification
Processes will be developed based on the strategy.
Once processes are developed, teams are defined by the strategy.
Unless a strategy is defined, a plan cannot be developed.
A strategy is the most effective, as it defines the overall goal of the incident response.
Which of the following is the FIRST step in developing an incident response plan?
A.Set the minimum time required to respond to incidents.
B.Establish a process to report incidents to senior management.
C.Ensure the availability of skilled resources
D.Categorize incidents based on likelihood and impact.
D is the correct answer.
Justification
Determining response time is based on the categorization of incidents.
The process for reporting depends on the categorization. Management may want only high-severity incidents to be reported.
The resources required depend on the categorization of the incident and the established response time.
Incidents with higher likelihood and impact warrant more attention.
While developing incident response procedures an information security manager must ensure that the procedure is PRIMARILY aimed at:
A.containing incidents to minimize damage.
B.identifying root causes of incidents.
C.implementing solutions to prevent reocurrence.
D.recording and closing incident tickets.
A is the correct answer.
Justification
Incident response procedures primarily focus on containing the incident and minimizing damage.
Root cause analysis is a component of the overall incident management process rather than the incident response procedure.
Implementing solutions is possible only after a cause has been determined.
Recording and closing tickets is part of the subsequent documentation process but is not the primary focus of incident response.
Which of the following contributes MOST to incident response team efficiency?
A.Security policies and procedures
B.Defined roles and responsibilities
C.Digital forensic analysis skills
D.Reporting line structure
B is the correct answer.
Justification
Knowing about security policies and procedures may be important. However, this knowledge is not a must item for an incident response team to work efficiently.
Incident response team members need to work in a disrupted environment; therefore, it is essential that they be clearly aware of roles and responsibility prior to engagement.
There could be an instance when a digital forensic analyst is needed. In such a case, assigning a qualified professional may be the best solution, rather than having the response team learn the skills.
The reporting structure is a mandatory component for a team to operate. However, in the case of incident response, team size is usually small and the reporting line may be flat. Thus, it may not be a major contributor to efficiency.
The PRIMARY business objective of incident management is:
A.containment.
B.root-cause analysis.
C.eradication.
D.impact control.
D is the correct answer.
Justification
Containment is one of the steps of the standard incident management process, not the primary objective. Depending on the nature of the incident and its potential impact on the enterprise, containment may or may not be a priority.
Root-cause analysis facilitates long-term remediation of vulnerabilities to prevent the recurrence of a given type of incident, but it is not the purpose of incident management.
Eradication is one of the steps of the standard incident management process, not the primary objective.
The purpose of incident management is to identify and respond to unexpected disruptive events with the objective of controlling impacts within acceptable levels.
Which of the following is the MOST important measure an enterprise should take to deal with the potential impacts of zero-day attacks?
A.Set comprehensive prevention, detection and response mechanisms.
B.Have an updated business impact analysis.
C.Perform a zero-day scenario analysis.
D.Perform a walkthrough test of the incident response plan.
A is the correct answer.
Justification
To effectively detect and mitigate zero-day attacks, coordinated and optimized defense and tested response plans are needed. These should include the best prevention and detection technology, a plan for worst-case scenarios and a comprehensive response plan.
The business impact analysis identifies and analyzes business processes, which drives the assignment of recovery objectives and prioritization. It can be used to help develop the incident response plan.
A scenario analysis helps to assess risk qualitatively and is part of a risk assessment process. However, the incident response plan would be a more effective tool in dealing with zero-day attacks.
A walkthrough tests the design and effectiveness of existing controls. However, existing controls typically do not defend against non-identified zero-day attacks.
What makes an incident management program effective?
A.It identifies, assesses and prevents recurrence of incidents.
B.It detects and documents incidents.
C.It includes a risk management strategy.
D.It reflects the capabilities of the enterprise.
A is the correct answer.
Justification
Incident management identifies and assesses incidents as they happen. Then it implements improvements to prevent future occurrences.
Detecting and documenting incidents is only part of the process; future occurrences need to be addressed and prevented.
Risk management occurs outside the incident management program.
Objectives are set based on business needs, and capabilities are built to meet those objectives.
Which of the following is the BEST basis for determining the criticality and sensitivity of information assets?
A.A threat assessment
B.A vulnerability assessment
C.A resource dependency assessment
D.An impact assessment
D is the correct answer.
Justification
Threat assessment lists only the threats the information asset is exposed to; it does not consider the value of the asset and impact of the threat on the value.
Vulnerability assessment lists only the vulnerabilities inherent in the information asset that can attract threats. It does not consider the value of the asset and the impact of perceived threats on the value.
Resource dependency assessments provide process needs, but not impact.
The criticality and sensitivity of information assets depends on the impact of the likelihood of the threats exploiting vulnerabilities in the asset and takes into consideration the value of the assets and the impairment of the value.
A business impact analysis is the BEST tool for determining:
A.total cost of ownership.
B.priority of restoration.
C.annual loss expectancy.
D.residual risk.
B is the correct answer.
Justification
A business impact analysis (BIA) is not used to determine total cost of ownership to the enterprise.
A BIA is the best tool for determining the priority of restoration for applications.
A BIA is not used to determine annual loss expectancy to the enterprise.
A BIA is not used to determine residual risk to the enterprise.
An information security manager at a financial company has been asked to assess the worst-case scenario if the transition to quantum-resistant encryption algorithms fails. Which of the following activities would provide the BEST information for the information security manager to draw a conclusion?
A.Conducting a business impact analysis
B.Reviewing the risk register
C.Performing a post-implementation review
D.Initiating a cost-benefit analysis
A is the correct answer.
Justification
Conducting a business impact analysis (BIA) focusing on the failure of the transition would provide the most direct and relevant information. The BIA would assess the potential impacts on the business operations, financial performance, and reputation of the company due to the failure of the transition.
Reviewing the risk register for risk associated with quantum computing could provide useful information, but it might not directly address the specific scenario of the transition failure.
Performing a post-implementation review of the transition process could provide insights into what went wrong during the transition, but it might not fully capture the potential impacts of the transition failure.
Initiating a cost-benefit analysis of the transition to quantum-resistant algorithms could provide information about the financial feasibility of the transition, but it might not directly assess the potential impacts of the transition failure.
Which of the following activities MUST a financial services enterprise do with regard to a web-based service that is gaining popularity among its customers?
A.Perform annual vulnerability mitigation.
B.Maintain third-party liability insurance.
C.Conduct periodic business impact analysis
D.Architect a real-time failover capability.
C is the correct answer.
Justification
Vulnerability management is an important part of managing any system, not only a web-based service, but mitigation decisions are made on the basis of risk and are not isolated to an annual activity.
The decision of whether to carry liability insurance is a business decision made on the basis of quantified risk.
A service that is gaining popularity will increase in value to the enterprise as it grows, leading to corresponding growth in the magnitude of potential loss should the service be interrupted. Periodic business impact analyses (BIAs) quantify this magnitude and ensure that adequate recovery capabilities can be put in place.
Real-time failover capabilities may be warranted, but the decision to design and deploy such capabilities is a business decision based in large part on an accurate BIA quantifying the magnitude of potential loss should the service be interrupted.
An enterprise determined that if its email system failed for three days, the cost to the enterprise would be eight times greater than if it could be recovered in one day. This determination MOST likely was the result of:
A.disaster recovery planning.
B.business impact analysis.
C.site proximity analysis.
D.full interruption testing.
B is the correct answer.
Justification
A disaster recovery plan does not include impact of system loss. A business impact analysis must be completed prior to disaster recovery planning.
A business impact analysis is used to establish the escalation of loss over time, in addition to other elements.
Site proximity is a consideration during disaster recovery planning for locating a recovery site. Where the site is located does not indicate the business impact.
Full interruption testing is used to validate disaster recovery plans. A business impact analysis must be completed prior to disaster recovery planning.
A manufacturing company relies on Internet of Things (IoT) devices for production processes and equipment monitoring. Which of the following would be the MOST critical in conducting a business impact analysis in this case?
A.Identifying the dependencies between IoT devices and critical business functions
B.Assessing the financial and reputational impact of IoT-related disruptions
C.Evaluating the regulatory and compliance implications of IoT-related disruptions
D.Analyzing the resilience and redundancy measures implemented in the IoT infrastructure
A is the correct answer.
Justification
Identifying dependencies between IoT devices and critical business functions is crucial for understanding the operational impact of IoT-related disruptions. Assessing these dependencies helps prioritize mitigation efforts and ensure continuity of essential business operations.
Assessing the financial and reputational impact of IoT-related disruptions is important for quantifying potential losses and justifying investments in risk mitigation measures. Understanding both direct and indirect costs provides a comprehensive view of the overall impact on the organization’s financial health.
Evaluating regulatory and compliance implications is essential, particularly in industries with stringent regulations governing data privacy and security. IoT-related disruptions may lead to regulatory violations and legal consequences, highlighting the importance of compliance in BIA.
Analyzing the resilience and redundancy measures in the IoT infrastructure is crucial for assessing the organization’s ability to withstand and recover from disruptions. Identifying gaps in resilience measures enables proactive mitigation strategies to minimize the impact of IoT-related incidents.
How does the business impact analysis (BIA) process integrate with business continuity planning (BCP)?
A.The BIA and BCP are performed in parallel to ensure all scenarios are considered.
B.The BCP is completed first and provides the inputs necessary to perform a thorough BIA.
C.A BIA is required for initial creation of the documents, and subsequent reviews create the BCP.
D.The BIA is performed first and provides the inputs necessary for developing BCP strategies and plans.
D is the correct answer.
Justification
The business impact analysis (BIA) process is closely related to business continuity planning (BCP). It serves as a foundational step feeding into the BCP life cycle and should be performed first. BIA identifies critical business functions, dependencies, and impacts of disruptions, which are essential for developing effective BCP strategies and plans.
BCP typically follows the BIA process in the BCP life cycle. BIA is conducted first to identify critical business functions, dependencies, and impacts of disruptions, which then inform the development of BCP strategies and plans.
Both the BIA and BCP are required on initial and subsequent reviews. The BIA process identifies critical business functions, dependencies, resources, and recovery requirements, which serve as essential inputs for developing BCP strategies and plans.
The BIA process identifies critical business functions, dependencies, resources, and recovery requirements, which serve as essential inputs for developing BCP strategies and plans. BCP builds upon the insights gained from the BIA to develop comprehensive plans and procedures for responding to and recovering from disruptive events.
A newly hired information security manager examines the 10-year-old business continuity plan and notes that the maximum tolerable outage (MTO) is much shorter than the allowable interruption window (AIW). What action should be taken as a result of this information?
A.Reassess the MTO.
B.Conduct a business impact analysis and update the plan.
C.Increase the service delivery objective.
D.Take no action; MTO is not related to AIW.
B is the correct answer.
Justification
Performing a business impact analysis (BIA) will include reassessment of the maximum tolerable outage (MTO); until that time, there is no way to determine whether it is the MTO or the allowable interruption window (AIW) that is incorrect.
The first issue is to determine whether the plan is current and then update requirements as necessary. The BIA will most likely be a collaborative effort with the business process owners.
The service delivery objective will need to be updated by performing a BIA.
The MTO should always be at least equal to the AIW and is generally longer.
Which of the following actions is involved when conducting a business impact analysis?
A.Identifying security threats and vulnerabilities
B.Developing notification and activation procedures
C.Listing investigative priorities
D.Listing critical business resources
D is the correct answer.
Justification
Identifying security threats is part of a risk assessment, not a business impact analysis (BIA).
Notification and activation procedures are not part of a BIA but should be part of a business continuity plan.
Listing investigative priorities is not part of a BIA.
Key results of a BIA include listing critical business resources, identifying disruption impacts and allowable outage times, and developing recovery priorities.
An enterprise’s chief information security officer would like to ensure that operations are prioritized correctly for recovery in case of a disaster. Which of the following would be the BEST to use?
A.A business impact analysis
B.An enterprise risk assessment
C.A business process map
D.A threat statement
A is the correct answer.
Justification
A business impact analysis (BIA) ensures that operations are prioritized correctly for recovery in case of a disaster.
An enterprise risk assessment would not support prioritization of system recovery.
A business process map would not support prioritization of system recovery.
A threat statement would not support prioritization of system recovery.
In the absence of organizational documentation, how can the information security manager BEST determine system and data sensitivity?
A.By relying on historical incident response data
B.By assessing the level of protection needed
C.By referring to industry benchmarks and standards for sensitivity classification
D.By postponing sensitivity classification until the necessary documentation is developed
B is the correct answer.
Justification
Historical incident response data may provide insights into incidents but may not directly address the classification of sensitivity.
In the absence of organizational documentation such as a business impact analysis or an asset criticality assessment report, system and data sensitivity can be determined based on the level of protection required to maintain the availability, integrity, and confidentiality of the system and data.
Industry benchmarks and standards can be valuable, but they determine system and data sensitivity specific to an enterprise.
Postponing sensitivity classification emphasizes the need to complete the necessary documentation for a comprehensive sensitivity assessment; however, it is not the best course of action as it leaves data vulnerable.
Which of the following choices should be assessed after the likelihood of a loss event has been determined?
A.The magnitude of impact
B.Risk tolerance
C.The replacement cost of assets
D.The book value of assets
A is the correct answer.
Justification
Disaster recovery is driven by risk, which is a combination of likelihood and consequences. Once likelihood has been determined, the next step is to determine the magnitude of impact.
Risk tolerance is the acceptable deviation from acceptable risk. This is taken into account once risk has been quantified, which is dependent on determining the magnitude of impact.
Replacement cost is needed only when replacement is required.
Book value does not represent actual asset value and cannot be used to measure magnitude of impact.
Which of the following are the essential ingredients of a business impact analysis?
A.Downtime tolerance, resources and criticality
B.Cost of business outages in a year as a factor of the security budget
C.Business continuity testing methodology being deployed
D.Structure of the crisis management team
A is the correct answer.
Justification
A business impact analysis (BIA) is an exercise that determines the impact of losing the support of any resource to an enterprise, establishes the escalation of that loss over time, identifies the minimum resources needed to recover, and prioritizes the recovery of processes and the supporting system. The main inputs into a BIA are criticality of a business function or process, associated resources and maximum tolerable downtime.
Cost of business outages is associated with business continuity planning but is not related to the BIA.
Business continuity testing methodology is associated with business continuity planning but is not related to the BIA.
Structure of the crisis management team is associated with business continuity planning but is not related to the BIA.
During a business continuity plan test, one department discovered that its new software application was not going to be restored soon enough to meet the needs of the business. This situation can be avoided in the future by:
A.conducting a periodic and event-driven business impact analysis to determine the needs of the business during a recovery.
B.assigning new applications a higher degree of importance and scheduling them for recovery first.
C.developing a help desk ticket process that allows departments to request recovery of software during a disaster.
D.conducting a thorough risk assessment prior to purchasing the software.
A is the correct answer.
Justification
A periodic business impact analysis (BIA) can help compensate for changes in the needs of the business for recovery during a disaster.
Assigning new applications a higher degree of importance and scheduling them for recovery first reflects an incorrect assumption regarding the automatic importance of a new program.
Developing a help desk ticket process that allows departments to request recovery of software during a disaster is not an appropriate recovery procedure because it allows individual business units to make unilateral decisions without consideration of broader implications.
The risk assessment may not include the BIA.
In a business impact analysis, the value of an information system should be based on the overall:
A.cost of recovery.
B.cost to recreate.
C.opportunity cost.
D.cost of emergency operations.
C is the correct answer.
Justification
The business continuity coordinator will not be able to provide the correct level of detailed knowledge.
The information security manager will not have the level of detailed knowledge needed.
Business process owners are in the best position to understand the true impact on the business that a system outage would create.
IT management would not be able to provide the required level of detailed knowledge.
When performing a business impact analysis, which of the following should calculate the recovery time and cost estimates?
A.Business continuity coordinator
B.Information security manager
C.Business process owners
D.IT management
C is the correct answer.
Justification
The business continuity coordinator will not be able to provide the correct level of detailed knowledge.
The information security manager will not have the level of detailed knowledge needed.
Business process owners are in the best position to understand the true impact on the business that a system outage would create.
IT management would not be able to provide the required level of detailed knowledge.
Who should be the PRIMARY stakeholders involved in the business impact analysis (BIA) process?
A.IT personnel responsible for infrastructure resources and management
B.Senior management and executives
C.Risk management team and internal audit
D.Representatives from various business units and departments
D is the correct answer.
Justification
Limiting the business impact analysis (BIA) process to only IT personnel responsible for infrastructure resources and management may overlook critical business functions and dependencies beyond IT systems and infrastructure. While IT personnel play a crucial role in assessing the impact of technology-related disruptions, involving representatives from various business units ensures a more holistic understanding of the organization’s overall business continuity needs.
While senior management and executives provide strategic direction and oversight, relying solely on their input may not capture the detailed operational insights necessary for an effective BIA. Involving representatives from various business units and departments ensures that the BIA process considers a wide range of perspectives and operational details essential for identifying critical functions, dependencies, and recovery priorities.
While the risk management team is one of the stakeholders, internal audit teams are not typically involved in the recreation or rewriting of the BIA. Their input from earlier audits would be considered, but they would not be directly involved.
Involving representatives from different business units and departments ensures that the BIA process considers the unique perspectives and requirements of each area within the organization. These stakeholders provide valuable insights into their respective functions, processes, dependencies, and critical assets, enabling a comprehensive assessment of the potential impacts of disruptive events on the organization’s operations.
How does business continuity planning (BCP) integrate with other risk management processes within an organization?
A. BCP is a standalone process and does not relate to other risk management activities.
B. BCP replaces other risk management processes and controls.
C. BCP provides inputs for developing risk management strategies and controls.
D. BCP is conducted separately from other risk management activities without integration.
C is the correct answer.
Justification
Business continuity planning (BCP) is closely related to other risk management activities within an organization. It involves identifying and assessing risk to business operations and developing strategies to mitigate impacts, which are fundamental components of broader risk management processes.
BCP does not replace other risk management processes and controls within an organization. Instead, it complements existing risk management efforts by focusing specifically on ensuring continuity of critical business functions during disruptions.
BCP identifies potential risk and impacts to critical business functions and processes. By providing these inputs, BCP informs the development of risk management strategies and controls within the organization. This integration ensures that risk management efforts align with the organization’s continuity objectives, enhancing resilience and preparedness.
BCP should be conducted in coordination with other risk management activities within the organization to ensure alignment and integration of efforts. By incorporating BCP into the overall risk management framework, organizations can enhance their resilience and effectiveness in managing various risk factors.
Which of the following would the information security manager MOST likely recommend to maintain business resiliency when an enterprise has several factories located in remote areas?
A.Execute standard operating procedures
B.Introduce a business staff rotation program
C.Delegate authority to local management
D.Encourage a partnership with the local community
C is the correct answer.
Justification
It is a good practice to have a set of standard operating procedures. However, in the case of a business disruption, processes may not work as expected, so the standard operating procedure on its own is not the best option.
Staff rotation is a good practice; however, it is not primarily designed for a business continuity program.
In the event of a business disruption, the centralized chain of command may become disabled. To prepare for this situation, it may be effective to delegate authority to local management to ensure the continuity of operations.
It makes sense for an enterprise to establish a partnership with the local community. However, it is usually carried out from a social responsibility perspective rather than the interest of an enterprise (i.e., business continuity in each region).
Which of the following recovery strategies has the GREATEST chance of failure?
A.Hot site
B.Redundant site
C.Reciprocal arrangement
D.Cold site
C is the correct answer.
Justification
A hot site is incorrect because it is a site kept fully equipped with processing capabilities and other services by the vendor.
A redundant site is incorrect because it is a site equipped and configured exactly like the primary site.
A reciprocal arrangement is an agreement that allows two enterprises to back up each other during a disaster. This approach sounds desirable, but it has the greatest chance of failure due to problems in keeping agreements and plans up to date and providing adequate processing capacity.
A cold site is incorrect because it is a building that has a basic environment such as electrical wiring, air conditioning, flooring, etc., and is ready to receive equipment in order to operate.
Which of the following should be determined FIRST when establishing a business continuity program?
A.Cost to rebuild information processing facilities
B.Incremental daily cost of the unavailability of systems
C.Location and cost of offsite recovery facilities
D.Composition and mission of individual recovery teams
B is the correct answer.
Justification
The cost to rebuild information processing facilities would not be the first thing to determine.
Prior to creating a detailed business continuity plan, it is important to determine the incremental daily cost of losing different systems. This will allow recovery time objectives to be determined.
Location and cost of a recovery facility cannot be addressed until the potential losses are calculated, which will determine the type of recovery site that is needed—and this will affect cost.
Individual recovery team requirements will occur after the requirements for business continuity are determined.
The PRIMARY factor determining maximum tolerable outage is:
A.available resources.
B.operational capabilities.
C.long haul network diversity.
D.last mile protection.
A is the correct answer.
Justification
The main variable affecting the ability to operate in the recovery site is adequate resource availability, such as diesel fuel to operate generators. Although resources would be taken into account during initial calculation of the maximum tolerable outage (MTO), circumstances associated with disaster recovery frequently have unexpected impacts on availability of resources. As a result, the expectations may not be met during real-world events.
The operational capabilities of the recovery site would have been predetermined and factored into the MTO.
Long haul diversity does not affect MTO.
Last mile protection does not affect MTO.
After performing an asset classification, the information security manager is BEST able to determine the:
A.level of risk to information resources.
B.impact of a compromise.
C.requirements for control strength.
D.annual loss expectancy.
B is the correct answer.
Justification
The value of resources does not provide information on the risk to those resources.
Knowledge of an information resource’s value provides an understanding of the potential impact of the loss of the resource.
Information regarding potential impact is not adequate to determine control strength requirements; risk levels must also be understood.
The annual loss expectancy can only be calculated after determining the magnitude of the loss and frequency of occurrence.
Which of the following would BEST ensure that operations can continue at an alternate site in the event of a business disruption?
A.Data restoration to meet recovery time objectives
B.Testing end-to-end processes at the alternate site
C.Staff deployment to the alternate site
D.A service level agreement with the IT team
B is the correct answer.
Justification
Meeting recovery time objectives regarding data restoration is crucial. However, if the business does not run end-to-end, there will still be issues, and data will not be usable.
It is most important to ensure that operations are conducted in the same way at the alternate site as at the production site. The key point to confirm at the alternate site is that end-to-end processes work successfully. If end-to-end processes have not been ensured, it is difficult to conclude that the alternate site is ready to carry the business forward when a disruption occurs.
It is important to have proper staffing at the alternate site. However, this would be secondary or part of ensuring that processes run successfully.
A service level agreement is a fundamental business process. However, it is a secondary concern to ensuring that business processes work at the alternate site.
An information security manager is investigating an internal cybersecurity incident and has been directed to preserve potential evidence. After creating an image copy of the hard drive of suspected systems with a commonly used tool and making copies on which to perform analysis, which of the following should the information security manager do NEXT?
A.Encrypt the primary and backup hard drive images.
B.Use an alternative tool to make an image copy of the hard drive.
C.Generate hashes for the primary and backup hard drive images.
D.Document the process used to make an image copy of the hard drive.
C is the correct answer.
Justification
Ensuring the confidentiality of the memory dumps is not a primary concern during forensic analysis. Encrypted memory dumps cannot be analyzed.
If a memory dump made with an alternative tool is desired, it should be made only after the existing primary and backup dumps have been hashed, so that their authenticity can be established if necessary.
Generating hashes for the primary and backup memory dumps provides a means of demonstrating that the dump used for analysis is identical to the one stored for reference. It is essential that this step be performed before anything might happen to corrupt the original memory source, so it should be done as soon as possible.
Documentation of the process should exist as part of the incident response procedures, but if it does not, the middle of an incident is not the best time to create it.
Which of the following processes is CRITICAL for deciding prioritization of actions in a business continuity plan?
A.Business impact analysis
B.Risk assessment
C.Vulnerability assessment
D.Business process mapping
A is the correct answer.
Justification
The business impact analysis (BIA) is the critical process for deciding prioritization of restoration of the information system/business processes in case of a security incident.
Risk assessment provides information on the likelihood of occurrence of a security incident and assists in the selection of countermeasures, but not in prioritization of restoration.
A vulnerability assessment provides information regarding the security weaknesses of the system, supporting the risk analysis process.
Business process mapping assists in conducting a BIA, but additional information obtained during a BIA is needed to determine restoration prioritization.
During a confirmed incident, the incident response team is unable to start business continuity operations because the computers at the warm site require an update to the operating system (OS) that will take one hour. Which of the following BEST describes the issue in this case?
A. The business continuity plan (BCP) was not thoroughly tested.
B. The BCP implementation phase was not executed properly.
C. A warm site is insufficient to meet the requirements of the business and a hot site is required.
D. The business impact analysis (BIA) was inaccurate.
A is the correct answer.
Justification
Periodic testing of the business continuity plan (BCP) would have helped the incident response team monitor the warm site and address the need for patches and updates proactively. Testing would also have identified potential complications and enabled the development of any needed workarounds.
The state of warm site computers may not be identified in the implementation phase.
Changing the site from a warm site to a hot site would not address the issue of required operating system (OS) updates for computers. Even hot sites require thorough testing of the BCP.
The issue here is with the lack of testing the state of the computers’ OSs and is not related to the business impact analysis (BIA). An inaccurate BIA would have wrongly prioritized the order of restoration.
An enterprise decides its old recovery facility is no longer adequate because it is not capable of operation for an extended period. The enterprise decides to build a new facility in another location that would address the major shortcomings of the old site and provide more space for possible future expansion. Until the new facility is completed, which of the following objectives for recovery will have to be changed?
A.Maximum tolerable outage
B.Recovery point objective
C.Service delivery objective
D.Allowable interruption window
C is the correct answer.
Justification
Although the current recovery facility cannot satisfy the maximum tolerable outage (MTO), that does not change the MTO. The enterprise should document an inability to meet the MTO and continue developing a new facility that will satisfy the objective.
The recovery point objective (RPO) is not affected by the stated deficiencies in the current recovery facility.
The service delivery objective (SDO) reflects a commitment to internal customers to meet certain performance standards. To be realistic, the objective must be changed to reflect the operating capabilities of the current recovery facility.
The MTO must be at least as great as the allowable interruption window (AIW). Therefore, it is possible that exceeding the MTO will result in not being able to meet the AIW, which will result in unacceptable damage to the enterprise. However, as with the MTO, the inability to meet the AIW does not make the associated damage acceptable, so changing the AIW would not be appropriate.
Recovery point objectives can be used to determine which of the following?
A.Maximum tolerable period of data loss
B.Maximum tolerable downtime
C.Baseline for operational resiliency
D.Time to restore backups
A is the correct answer.
Justification
The recovery point objective (RPO) is determined based on the acceptable data loss in the case of disruption of operations. RPOs effectively quantify the permissible amount of data loss in the case of interruption.
RPO cannot be used to determine allowable down time.
RPO does not set the baseline for operational resiliency.
RPO will determine the required frequency and type of backup. The shorter the RPO, the more frequent the backups.
When an enterprise is using an automated tool to manage and house its business continuity plans, which of the following is the PRIMARY concern?
A.Ensuring accessibility should a disaster occur
B.Versioning control as plans are modified
C.Broken hyperlinks to resources stored elsewhere
D.Tracking changes in personnel and plan assets
A is the correct answer.
Justification
If all the plans exist only in electronic form, this presents a serious weakness, as the electronic version may be dependent on restoration of the intranet or other systems that are no longer available.
Versioning control is actually easier with an automated system.
Broken hyperlinks are a concern, but less serious than plan accessibility.
Tracking changes in personnel and plan assets is actually easier with an automated system.
In addition to backup data, which of the following is the MOST important to store offsite in the event of a disaster?
A.Copies of critical contracts and service level agreements
B.Copies of the business continuity plan
C.Key software escrow agreements for the purchased systems
D.List of emergency numbers of service providers
B is the correct answer.
Justification
Copies of contracts and service level agreements would not be as immediately critical as the business continuity plan (BCP) itself.
Without a copy of the BCP, recovery efforts would be severely hampered or might not be effective. The BCP would contain a list of the emergency numbers of service providers.
Key software escrow agreements would not be as immediately critical as the BCP itself.
A list of emergency numbers would be a part of the BCP.
Which of the following should be included in the business continuity plan (BCP) to mitigate the impact of supply chain disruptions?
A. Focusing on cost-cutting measures and maintaining profitability
B. Prioritizing critical operations and using the remaining inventory to be cost-effective
C. Implementing new marketing strategies and managing customer expectations during the shortage
D. Identifying alternate suppliers and establishing relationships with them
D is the correct answer.
Justification
While cost-cutting measures may be necessary in response to revenue losses, they do not address the impending disruption in operations. Identifying alternate suppliers and other proactive measures are more effective in mitigating the impact of supply chain disruptions.
Making adjustments internally by prioritizing usage and utilizing the remaining inventory more efficiently may help a little but will not guarantee continuity of operations. Relying solely on the affected supplier to resume operations without exploring alternative options may lead to prolonged disruptions and negative consequences for the retail company.
While marketing strategies may help mitigate the impact of revenue losses in the short term, they do not address the underlying issue of supply chain disruptions. Implementing new marketing strategies may be beneficial in managing customer expectations during shortages, but it should complement proactive measures such as identifying alternate suppliers to ensure continuity of inventory supply.
Diversifying the supplier base by identifying alternative suppliers and establishing relationships with them enables companies to mitigate the impact of supply chain disruptions and ensure continuity of inventory supply while minimizing potential stock shortages and revenue losses.
What is the PRIMARY basis for a detailed business continuity plan?
A.Consideration of different alternatives
B.The solution that is least expensive
C.Strategies that cover all applications
D.Strategies validated by senior management
D is the correct answer.
Justification
Senior management should select the most appropriate strategy from the alternatives provided.
All recovery strategies have associated costs, including costs of preparing for disruptions and putting them to use in the event of a disruption. The latter can be insured against, but not the former. The best recovery option need not be the least expensive.
The selection of strategy depends on criticality of the business process and applications supporting the processes. It need not cover all applications.
A recovery strategy identifies the best way to recover a system in case of disaster and provides guidance based on detailed recovery procedures that can be developed. Different strategies should be developed and all alternatives presented to senior management. Senior management should select the most appropriate strategy from the alternatives provided. The selected strategy should be used for further development of the detailed business continuity plan.
What is the PRIMARY consideration when defining recovery time objectives for information assets?
A.Regulatory requirements
B.Business requirements
C.Financial value
D.IT resource availability
B is the correct answer.
Justification
Regulatory requirements may not be consistent with business requirements.
The criticality to business should always drive the decision.
The financial value of an asset may not correspond to its business value and is irrelevant.
While a consideration, IT resource availability is not a primary factor.
Which of the following is used to effectively align the business continuity requirements of an organization with its disaster recovery capabilities?
A. Collaborate with trusted partners to align business continuity requirements with disaster recovery capabilities.
B. Engage an independent auditor to review the business continuity plan (BCP) and disaster recovery plan (DRP) documentation.
C. Ensure approval of the BCP and DRP by senior management.
D. Perform regular drills of the BCP and DRP.
D is the correct answer.
Justification
While collaboration with trusted partners can help in strengthening the disaster recovery strategy, it will not help in identifying gaps.
An audit is performed on a sampling basis and may not highlight the gaps in business continuity requirements and disaster recovery capabilities.
Approval from senior management does not ensure alignment of both documents unless gaps are identified through drills and then filled.
To effectively align business continuity requirements with disaster recovery capabilities, regular drills are needed to help identify gaps so issues can be fixed, ensuring that recovery time objective (RTO) and recovery point objective (RPO) are achieved.
Which of the following is MOST important when deciding whether to build an alternate facility or subscribe to a hot site operated by a third party?
A.Cost to rebuild information processing facilities
B.Incremental daily cost of losing different systems
C.Location and cost of commercial recovery facilities
D.Estimated annual loss expectancy from key risk
C is the correct answer.
Justification
The cost of rebuilding the primary processing facility is not a factor in choosing an alternate recovery site.
The daily cost of losing systems is the same whether the alternate site is built or rented.
The decision whether to build an alternate facility or rent hot site facilities from a third party should be based entirely on business decisions of cost and ensuring the location is not susceptible to the same environmental risk as the primary facility.
Annual loss expectancy is not a factor in choosing to build or rent an alternate site.
Which of the following is the MOST appropriate backup strategy to enable recovery of data used in a critical business process with a low recovery point objective (RPO)?
A. Real-time local backup to network-attached storage (NAS)
B. Remote online storage area network (SAN) replication
C. Online data backup to direct-attached storage (DAS)
D. Asynchronous data replication to a remote site
B is the correct answer.
Justification
Real-time local backup to network-attached storage (NAS) provides real-time backup data in the same location. Both real data and backup data could possibly be affected by the same disaster.
Remote online storage area network (SAN) backup is a real-time backup of primary site data to high speed and bandwidth remote SAN storage. Although more expensive, this offers higher availability of data in case of primary site disasters.
Online data backup direct-attached storage (DAS) takes place in the same location. Because DAS is a data storage and availability solution in which the storage device (e.g., disk drive) is directly attached to a server or client, both real data and backup data could possibly be affected by the same disaster.
The primary disadvantage of asynchronous replication to a remote site is the time lag between data being stored at the primary and remote sites. If there is an incident or outage, transactions and data that are not replicated at the time of the incident will be lost, and data in secondary storage may not be current.
Which of the following items is MOST important to determine the recovery point objective for a critical process in an enterprise?
A.The number of hours of acceptable downtime
B.The total cost of recovering critical systems
C.The acceptable reduction in the level of service
D.The extent of data loss that is acceptable
D is the correct answer.
Justification
The recovery time objective (RTO) is the amount of time allowed for the recovery of a business function or resource after a disaster. The RTO is not a factor in determining the recovery point objective (RPO).
The determination of the RPO would have already taken cost into consideration.
The service delivery level is directly related to the business needs. It is the level of services to be reached during the alternate process mode until the normal situation is restored.
The RPO is determined based on the acceptable data loss in case of a disruption of operations. It indicates the earliest point in time that is acceptable to recover the data. The RPO effectively quantifies the permissible amount of data loss in case of interruption.
What would be the MAIN purpose for an enterprise to get insurance coverage against errors and omissions in addition to cybersecurity insurance?
A. Social engineering attacks result in financial losses for clients.
B. Client data held by the enterprise is constantly subject to cyberattacks.
C. Cyberattacks result in long disruptions to business operations.
D. The enterprise fails to comply with regulatory cybersecurity requirements.
A is the correct answer.
Justification
Errors and omissions (E&O) insurance and cybersecurity insurance offer similar types of liability coverage, although they each address different types of risk. E&O insurance provides legal liability protection in the event that an enterprise commits an act of error or omission that results in financial loss to a client, such as falling victim to social engineering attack.
If the enterprise stores customer data, such as credit card numbers or email addresses, cybersecurity insurance will be sufficient. If client or other organizational data storage is compromised, this policy will pay for customer notification costs, a public relations campaign, and other recovery expenses.
If the cyberattacks result in disruptions in business process activities and operations, then insurance coverage against business interruptions would be the best choice.
An enterprise typically cannot insure against failure to comply with legal and regulatory requirements or any other breach of the law.
Which of the following processes is critical for deciding prioritization of actions in a business continuity plan?
A.Business impact analysis
B.Risk assessment
C.Vulnerability assessment
D.Business process mapping
A is the correct answer.
Justification
A business impact analysis (BIA) provides results, such as impact from a security incident and required response times. The BIA is the most critical process for deciding which part of the information system/business process should be given prioritization in case of a security incident.
Risk assessment is a very important process for the creation of a business continuity plan. Risk assessment provides information on the likelihood of occurrence of security incidents and assists in the selection of countermeasures but not in their prioritization.
A vulnerability assessment provides information regarding the security weaknesses of the system, supporting the risk analysis process.
Business process mapping facilitates the creation of the plan by providing mapping guidance on actions after the decision on critical business processes has been made—translating business prioritization to IT prioritization. Business process mapping helps not in making a decision but in implementing a decision.
What is the purpose of conducting regular testing of the business continuity plan (BCP)?
A. To ensure compliance with industry regulations and standards
B. To speed up the company’s response to a crisis
C. To demonstrate the organization’s commitment to sustainability
D. To identify weaknesses and gaps in the plan and procedures
D is the correct answer.
Justification
While regular testing and exercises of the business continuity plan (BCP) may contribute to ensuring compliance with industry regulations and standards indirectly by enhancing preparedness and resilience, the primary purpose of these activities is to assess and improve the effectiveness of the BCP itself rather than solely focus on compliance.
While a well-prepared and effective BCP can contribute to maintaining productivity and speed up the company’s response to a crisis, the primary purpose of regular testing and exercises is to assess and uncover areas needing improvement, such as incomplete procedures, and take corrective actions to increase the plan’s maturity.
While having a robust BCP can contribute to the organization’s sustainability by mitigating the impact of disruptions, the primary purpose of regular testing and exercises is to assess and improve the BCP’s effectiveness rather than directly demonstrate a commitment to sustainability.
Regular testing of the BCP helps organizations identify weaknesses and gaps in the plan and procedures. By simulating various scenarios, organizations can assess the effectiveness of their BCP in real-world conditions and uncover areas for improvement, such as incomplete procedures or overlooked dependencies.
An enterprise determined that in a worst-case situation it was not feasible to recreate all the data lost in a system crash in the time available. Various constraints prevent increasing the frequency of backups. What other solutions to this issue could the information security manager suggest?
A.Increase the recovery time objective
B.Decrease the service delivery objective
C.Adjust the maximum tolerable outage
D.Increase the allowable interruption window
A is the correct answer.
Justification
Because the original recovery time objective (RTO) cannot be met due to the time required to restore data, the RTO could be increased.
Decreasing the service delivery objective (SDO) would increase the problem and is not a solution.
Adjusting the maximum tolerable outage (MTO) would not have any effect on the situation.
Increasing the allowable interruption window (AIW) is based on the maximum time the enterprise can be down before major financial impacts occur.
For global enterprises, which of the following is MOST essential to the continuity of operations in an emergency situation?
A.A documented succession plan
B.Distribution of key process documents
C.A reciprocal agreement with an alternate site
D.Strong senior management leadership
B is the correct answer.
Justification
During contingency situations, contact with one or more senior managers may be lost. In such cases, a documented succession plan is important as a means of establishing who is empowered to make decisions on behalf of the enterprise. However, if an enterprise experiencing a contingency situation has only a succession plan and no distributed key process documentation, the effectiveness of the empowered decision maker will be limited. A succession plan is, therefore, worthwhile but less important than process documentation.
Many factors come into play during contingency situations, but continuity is possible only when personnel who are able to resume key processes have the knowledge to do so. When key process documentation is distributed to contingency locations, it is available for the use of any staff who report to these locations during contingencies, and so long as that documentation is up to date, it may be used even by those who may not typically be involved in performing those functions.
Reciprocal agreements are established when contingency sites are shared among multiple business partners. There are business justifications for establishing these relationships, but having them established is generally not going to ensure continuity of operations.
Strong leadership by senior management drives the preparation that goes into continuity of operations planning before a contingency situation arises. Assuming that this preparation has been adequate, however, the continuity functions should be carried out by enterprise personnel even if leadership during the contingency is interrupted or lacking in strength.
Which of the following is MOST closely associated with a business continuity program?
A.Confirming that detailed technical recovery plans exist
B.Periodically testing network redundancy
C.Updating the hot site equipment configuration every quarter
D.Developing recovery time objectives for critical functions
D is the correct answer.
Justification
Technical recovery plans are associated with infrastructure disaster recovery.
Network redundancy is associated with infrastructure disaster recovery.
Equipment needs are associated with infrastructure disaster recovery.
Of the choices, only recovery time objectives directly relate to business continuity.
Prioritization of incident response activities is driven primarily by a:
A.recovery point objective.
B.quantitative risk assessment.
C.business continuity plan.
D.business impact analysis.
D is the correct answer.
Justification
A recovery point objective identifies the maximum acceptable data loss associated with successful recovery. It does not prioritize the order of incident response.
Risk assessment (both qualitative and quantitative) examines sources of threat, associated vulnerability and probability of occurrence. At the point that an incident occurs, the probability aspect of risk is no longer unknown, so the degree of impact drives the prioritization of incident response, captured in the specialized business impact analysis.
Business continuity plans define procedures to follow when business functions are impacted. They do not prioritize the order of incident response.
Business impact analysis is a systematic activity designed to assess the effect upon an enterprise associated with impairment or loss of a function. At the point that an incident occurs, its probability is no longer unknown, so it is the potential impact on the enterprise that determines prioritization of response activities.
Which of the following is MOST important in determining whether a disaster recovery test is successful?
A.Only business data files from offsite storage are used.
B.IT staff fully recovers the processing infrastructure.
C.Critical business processes are duplicated.
D.All systems are restored within recovery time objectives.
C is the correct answer.
Justification
Although ensuring that only materials taken from offsite storage are used in the test is important, it is not as critical in determining a test’s success.
While full recovery of the processing infrastructure is a key recovery milestone, it does not ensure the success of a test.
To ensure that a disaster recovery test is successful, it is most important to determine whether all critical business functions were successfully recovered and duplicated.
Achieving recovery time objectives is an important milestone, but it does not necessarily prove that the critical business functions can be conducted, due to interdependencies with other applications and key elements such as data, staff, manual processes, materials and accessories, etc.
Which of the following is MOST important to keep on hand in a hot site?
A. Copies of vendor agreements
B. Backups of system software
C. List of service delivery objectives
D. Copies of the disaster recovery plan (DRP)
D is the correct answer.
Justification
Keeping agreements at the hot site is not necessary as they likely would not be referenced in a disaster scenario.
Since the disaster recovery site is a hot site, it already contains the equipment, network, and systems software.
Service delivery objectives are the service level agreements applicable during disasters. It is useful for them to be kept in the disaster recovery site, but they are not more important than copies of disaster recovery plans (DRPs).
In addition to the backup of data and programs, having access to copies of the DRPs, which include recovery steps and a list of contact information, is very important for a hot site so that services within the recovery time objective can be recovered quickly after the primary site goes down.
Which of the following is the MOST important element to ensure the successful recovery of a business during a disaster?
A.Detailed technical recovery plans are maintained offsite.
B.Network redundancy is maintained through separate providers.
C.Hot site equipment needs are recertified on a regular basis.
D.Appropriate declaration criteria have been established.
A is the correct answer.
Justification
In a major disaster, staff can be injured or can be prevented from traveling to the hot site, so technical skills and business knowledge can be lost. It is, therefore, critical to maintain an updated copy of the detailed recovery plan at an offsite location. In a disaster situation, without the detailed technical plan, business recovery will be seriously impaired.
Continuity of the business requires adequate network redundancy. Ideally, the business continuity program addresses this satisfactorily.
Continuity of the business requires hot site infrastructure that is certified as compatible, along with clear criteria. Ideally, the business continuity program addresses these needs satisfactorily.
Continuity of the business requires clear criteria for declaring a disaster. Ideally, the business continuity program addresses this satisfactorily.
Which of the following has the highest priority when defining an emergency response plan?
A.Critical data
B.Critical infrastructure
C.Safety of personnel
D.Vital records
C is the correct answer.
Justification
Critical data are secondary to safety of personnel.
Critical infrastructure is secondary to safety of personnel.
The safety of an enterprise’s employees should be the most important consideration given human safety laws. Human safety is considered first in any process or management practice.
Vital records are secondary to safety of personnel.
Which of the following is MOST important when deciding whether to build an alternate facility or to subscribe to a third-party hot site?
A.Location of a redundant processing facility and cost to build it
B.Daily cost of losing critical systems and recovery time objectives
C.Infrastructure complexity and system sensitivity
D.Criticality results from the business impact analysis
A is the correct answer.
Justification
Location is critical since the recovery site must not be subject to the same disaster as the primary site; cost is the second main consideration.
The cost of losing critical systems is not affected by a buy-or-build choice.
Infrastructure complexity and system sensitivity are the same whether in a third-party facility or not.
Criticality is the same regardless of the alternate site choice.
The MOST important factor in planning for the long-term retention of electronically stored business records is to take into account potential changes in:
A.storage capacity and shelf life.
B.regulatory and legal requirements.
C.business strategy and direction.
D.application systems and media.
D is the correct answer.
Justification
Storage capacity and shelf life are important but secondary issues.
Legal and regulatory requirements do not generally apply to long-term retention of electronically stored business records.
Business strategy and direction do not generally apply to long-term retention of electronically stored business records.
Long-term retention of business records may be severely impacted by changes in application systems and media. For example, data stored in nonstandard formats that can only be read and interpreted by previously decommissioned applications may be difficult, if not impossible, to recover.
What is the PRIMARY factor that should be taken into consideration when designing the technical solution for a disaster recovery site?
A.Service delivery objective
B.Recovery time objective
C.Allowable interruption window
D.Maximum tolerable outage
C is the correct answer.
Justification
The service delivery objective is the required level of functionality that must be supported during the alternate process mode until the normal situation is restored, which is directly related to business needs.
The recovery time objective (RTO) is commonly agreed to be the time frame between a disaster and the return to normal or acceptable operations defined by the service level objective. The RTO must be shorter than the allowable interruption window (AIW).
The length of the AIW is defined by business management and determines the acceptable time frame between a disaster and the restoration of critical services and applications. AIW is generally based on the downtime before the enterprise suffers major financial damage. The technical implementation of the disaster recovery site will be based on this constraint, especially the choice between a mirrored, hot, warm or cold site.
Maximum tolerable outage is the amount of time the enterprise can operate in alternate mode based on various factors such as accessibility and performance levels.
Which of the following would BEST support the need to test the disaster recovery plan (DRP) following testing of the business continuity plan (BCP)?
A. Testing confirms the effectiveness of the processes to restore IT systems and data.
B. Testing enables teams to be ready for incident response.
C. Testing bolsters overall business resilience and competitiveness.
D. Testing certifies uninterrupted delivery of crucial essential services and products.
A is the correct answer.
Justification
While both plans are essential, the disaster recovery plan (DRP) focuses on restoring IT systems and data. This is not necessarily covered when testing the business continuity plan (BCP).
Preparation for incident response is a common objective of both the BCP and DRP.
Overall business resilience is enhanced by both plans.
Ensuring continuous delivery of essential services and products is more aligned with the focus of the BCP, not the DRP.
Which of the following is the MOST important element to ensure the success of a disaster recovery test at a vendor-provided hot site?
A.Tests are scheduled on weekends.
B.Network Internet Protocol addresses are predefined.
C.Equipment at the hot site is identical.
D.Business management actively participates.
D is the correct answer.
Justification
Testing on weekends can be advantageous, but this is not the most important choice.
Because vendor-provided hot sites are in a state of constant change, it is not always possible to have network addresses defined in advance.
Although it would be ideal to provide for identical equipment at the hot site, it is not always practical because multiple customers must be served and equipment specifications will vary.
Disaster recovery testing requires the allocation of sufficient resources to be successful. Without the support of management, these resources will not be available, and testing will suffer as a result.
There is a concern that lack of detail in the recovery plan may prevent an enterprise from meeting its required time objectives when a security incident strikes. Which of the following is MOST likely to ensure the recovery time objectives would be met?
A.Establishment of distributed operation centers
B.Delegation of authority in recovery execution
C.Outsourcing of the business restoration process
D.Incremental backup of voluminous databases
B is the correct answer.
Justification
Establishment of distributed operation centers does not compensate for a lack of detail in the recovery plan.
When recovery is underway in response to an incident, there are many cases in which decisions need to be made at each management level. This may take up considerable time due to escalation procedures. Therefore, it is desirable that delegation of authority becomes effective during the recovery process. Scope of delegation of authority in recovery execution may be assessed and documented in business continuity policies and procedures.
Outsourcing will not resolve any failure to meet recovery time objectives, unless the recovery strategy includes a clear line of authority and adequate detail in the plan.
Incremental backup of voluminous databases may be recommended to expedite the data backup process. However, it generally increases the time needed to recover.
What is the PRIMARY factor to be taken into account when designing a backup strategy that will be consistent with a disaster recovery strategy?
A.Volume of sensitive data
B.Recovery point objective
C.Recovery time objective
D.Interruption window
B is the correct answer.
Justification
The volume of data will be used to determine the capacity of the backup solution.
The recovery point objective defines the maximum loss of data acceptable by the business (i.e., age of data to be restored). It will directly determine the basic elements of the backup strategy— frequency of the backups and what kind of backup is the most appropriate (disk-to-disk, on tape, mirroring).
The recovery time objective—the time between disaster and return to normal operation—will not have any impact on the backup strategy.
The availability to restore backups in a time frame consistent with the interruption window will have to be checked and will influence the strategy (e.g., full backup versus incremental), but it will not be the primary factor.
Which of the following practices would BEST ensure the adequacy of a disaster recovery plan?
A.Regular reviews of recovery plan information
B.Tabletop walkthrough of disaster recovery plans
C.Regular recovery exercises using expert personnel
D.Regular audits of disaster recovery facilities
A is the correct answer.
Justification
The most common failure of disaster recovery plans is lack of current essential operational information.
Tabletop walkthroughs are useful only if the information about systems and versions is up-to-date.
Recovery exercises are critical for testing plans and procedures. However, using expert personnel makes the recovery tests less useful because experts already have the knowledge to recover systems without using plans and written procedures, and there is no assurance that in a real disaster they would be available.
Audits can be helpful, but they are typically infrequent and use sampling; therefore, they provide limited and only occasional assurance that information in recovery plans is up-to-date.
What is the MOST important concern when an enterprise with multiple data centers designates one of its own facilities as the recovery site?
A.Communication line capacity between data centers
B.Current processing capacity loads at data centers
C.Differences in logical security at each center
D.Synchronization of system software release versions
B is the correct answer.
Justification
Although line capacity is important from a mirroring perspective, it is secondary to having the necessary capacity to restore critical systems.
If data centers are operating at or near capacity, it may prove difficult to recover critical operations at an alternate data center.
Differences in logical security constitute a much easier issue to overcome and are, therefore, of less concern.
Synchronization of system software releases is a much easier issue to overcome and is, therefore, of less concern.
What is the KEY responsibility of an information security manager in disaster recovery planning?
A. Designing secure network architectures to prevent information system incidents
B. Implementing processes for recovering operations after security breaches and/or system failures
C. Conducting regular disaster response training sessions for all employees
D. Ensuring resources and technologies are in place to perform the recovery as soon as possible
B is the correct answer.
Justification
Designing secure network architectures is more aligned with preventive measures than post-incident recovery processes.
The information security manager must understand the basic processes required to recover operations from information system incidents resulting in security breaches and system failures, natural disasters, and other events that could potentially disrupt business operations.
Conducting regular training sessions on disaster response for all employees is valuable, but it does not specifically address the information security manager’s role in developing and implementing recovery processes.
Ensuring resources are available is the responsibility of the chief information officer (CIO), not the information security manager.
Which of the following should be the PRIMARY basis for making a decision to establish an alternate site for disaster recovery?
A.A business impact analysis, which identifies the requirements for availability of critical business processes
B.Adequate distance between the primary site and the alternate site so that the same disaster does not simultaneously impact both sites
C.A benchmarking analysis of similarly situated enterprises in the same geographic region to demonstrate due diligence
D.Differences between the regulatory requirements applicable at the primary site and those at the alternate site
A is the correct answer.
Justification
The business impact analysis will help determine the recovery time objective and recovery point objective for the enterprise. This information will drive the decision on the requirements for an alternate site.
Natural disasters are just one of many factors that an enterprise must consider when it decides whether to pursue an alternate site for disaster recovery.
While a benchmark could provide useful information, the decision should be based on a BIA, which considers factors specific to the enterprise.
Regulatory requirements are just one of many factors that an enterprise must consider when it decides whether to pursue an alternate site for disaster recovery.
At the conclusion of a disaster recovery test, which of the following should ALWAYS be performed prior to leaving the vendor’s hot site facility?
A.Erase data and software from devices.
B.Conduct a meeting to evaluate the test.
C.Complete an assessment of the hot site provider.
D.Evaluate the results from all test scripts.
A is the correct answer.
Justification
For security and privacy reasons, all organizational data and software should be erased prior to departure.
Evaluations can occur back at the office after everyone is rested.
An assessment of the hot site provider should be included in the postmortem.
Results of the test are a part of the postmortem.
What is the PRIMARY consideration when selecting a recovery site?
A. Availability of high-speed Internet
B. Geographical distance
C. Cost-effectiveness of the site
D. Accessibility to public transportation
B is the correct answer.
Justification
The availability of high-speed Internet is essential but may not be the primary factor in recovery site selection.
One key consideration when selecting a recovery site is geographical separation and diversity. This involves choosing a site that is located a significant distance away from the primary site to mitigate the risk of both sites being affected by the same regional disasters or events.
Cost-effectiveness is important but should be balanced with other critical factors. Even the most cost-effective site could be ineffective if located in the same geographical area as the primary site.
Accessibility to public transportation is not a primary concern for a recovery site selected for disaster recovery purposes.
While a disaster recovery exercise in the enterprise’s hot site successfully restored all essential services, the test was deemed a failure. Which of the following circumstances would be the MOST likely cause?
A.The maximum tolerable outage exceeded the acceptable interruption window (AIW).
B.The recovery plans specified outdated operating system versions.
C.Some restored systems exceeded service delivery objectives.
D.Aggregate recovery activities exceeded the AIW.
D is the correct answer.
Justification
The maximum tolerable outage, the amount of time the enterprise can operate in alternate mode, would normally exceed the acceptable interruption window (AIW).
While a difference in operating system versions might cause a delay, it would probably be minor.
Service delivery objectives (SDOs) are directly related to the business needs. The SDO is the level of services to be reached during the alternate process mode until the normal situation is restored. Not meeting SDOs on some systems might be a concern but would not necessarily lead to the conclusion that the test was a failure.
Exceeding the AIW would cause the enterprise significant damage and must be avoided. The acceptable interruption window is the maximum period of time that a system can be unavailable before compromising the achievement of the enterprise’s business objectives.
Which of the following are the MOST influential factors in selecting the appropriate type of disaster recovery solution for an off-site facility?
A. Probabilities and types of major business impacting outages likely to occur
B. Capabilities and limitations of IT against outages
C. Business impact analysis and risk assessment results
D. Redundancies of existing hardware, software, and network devices
C is the correct answer.
Justification
The probability and types of major business impacting outages likely to occur is one factor, but it is not sufficient without consideration of business priorities, recovery time dimension needs, and cost. Probabilities and the types of major outages occurring are covered in risk assessment.
Although disaster recovery (DR) activities are related to technology and information recovery and IT plays an important role during a disaster, these factors can only influence the feasibility of a DR as a Service (DRaaS) alternative. Without considering other factors, this option would be limited in scope and not sufficient to justify any alternative selection. Any risk of lack of capabilities during recovery would be covered in risk assessment and those capabilities would be needed independent of recovery strategies.
DR site types have unique advantages and disadvantages. Recovery time parameters, budget and cost, business priorities, and location are the most influential factors in selecting the most appropriate DR off-site facility. Business priorities and recovery time dimension needs are covered in the business impact analysis, while the probability of major outages occurring, and the nature and extent of impacts, are covered in risk assessment.
Existing hardware, software, and network redundancies are good to know, but it would be necessary to know the recovery time objective (RTO), recovery point objective (RPO), probabilities of major outages, and cost to design the right off-site recovery strategies.
A company has a network of branch offices with local file/print and mail servers; each branch individually contracts a hot site. Which of the following would be the GREATEST weakness in recovery capability?
A.Exclusive use of the hot site is limited to six weeks.
B.The hot site may have to be shared with other customers.
C.The time of declaration determines site access priority.
D.The provider services all major companies in the area.
D is the correct answer.
Justification
Access to a hot site is not indefinite; the recovery plan should address a long-term outage.
Sharing a hot site facility is common practice and sometimes necessary in the case of a major disaster, and it is not a significant weakness.
First come, first served is a standard practice in hosted facilities and does not constitute a major weakness.
In case of a disaster affecting a localized geographical area, the vendor’s facility and capabilities could be insufficient for all its clients, which will be competing for the same resource. Preference will likely be given to the larger corporations, possibly delaying the recovery of a branch that will likely be smaller than other clients based locally.
Which of the following choices is MOST useful to an incident response team determining the severity level of reported security incidents?
A.Reviewing past incidents to determine impact
B.Integrating incident management with business continuity
C.Maintaining an inventory of assets and resources
D.Involving managers from affected operational areas
D is the correct answer.
Justification
Past incidents can be a useful guide to the types and severity of incidents but will not necessarily provide any information on a current incident.
Integrating incident management with business continuity facilitates response to high-severity incidents, but severity level must be determined prior to invoking the business continuity plan.
Maintaining an inventory of assets and resources may be helpful when determining the severity of incidents but is not a requirement.
The incident response team is likely not as well-informed regarding each operational area impacted by a security incident as the managers from those areas, so it makes sense to consult with the managers to get their estimates.
Which of the following is the FIRST step when updating the incident classification protocols in response to a new cybersecurity regulation that expands the types of incidents that require reporting?
A. Reviewing the updated regulations to identify the requirements for reporting incidents
B. Computing the statistical increase in incidents influenced by the new regulation
C. Reviewing the organization’s risk tolerance in the context of the new regulation
D. Upsizing security personnel to manage a potential spike in reported incidents
A is the correct answer.
Justification
Following the enactment of a new regulation, the critical focus should be on reassessing and recalibrating the specific triggers for reporting—considering risk level, event scale, types of information, and systems involved—under the lens of all applicable regulations.
Although determining the statistics on the increase of incidents could provide some understanding of the issue’s scale, it is more important to understand the incident that requires reporting.
Reevaluating risk tolerance is an important aspect of an ongoing security strategy but not the primary concern when adjusting incident classification protocols after a regulatory shift.
While bolstering the security team could be needed to handle a rise in reported incidents, it is vital to outline the incidents that necessitate reporting first.
Which of the following actions would be MOST effective in ensuring proper incident classification and categorization?
A. Use predefined incident categories based on industry standards to streamline incident handling.
B. Develop a standardized incident classification framework tailored to the organization’s business analytics environment.
C. Assign the responsibility for incident classification and categorization to the incident response team.
D. Leverage the expertise of a third-party service provider to lay the framework for incident classification and categorization.
B is the correct answer.
Justification
While using predefined incident categories based on industry standards may streamline incident handling processes, it may not capture the specific nuances of security incidents within the organization’s business analytics environment. Customization is crucial to accurately categorize incidents based on unique data types and analytics tools.
Tailoring the framework ensures that incident classification aligns with the unique characteristics of the organization’s analytics operations, enhancing the effectiveness of incident response efforts.
Assigning the responsibility solely to the incident response team without considering the broader context of business analytics operations may result in inadequate incident classification. Effective incident classification requires collaboration with stakeholders familiar with the organization’s analytics environment to accurately assess the impact of security incidents.
While outsourcing incident classification tasks to a managed service provider may provide expertise, it may not capture the organization’s specific business analytics context. It also may not be cost-effective. Internal stakeholders are better positioned to understand the nuances of the analytics environment and ensure accurate incident classification tailored to organizational needs.
Which of the following provides the BEST basis for assigning accurate classification levels to incidents?
A. Impact and urgency of the incident
B. Size and capabilities of incident response teams
C. Criticality and sensitivity of affected assets
D. Type and likely duration of a confirmed incident
A is the correct answer.
Justification
Accurate incident classification reflects an incident’s priority level and is usually determined by assessing its impact and urgency. Urgency is a measure of how quickly the incident needs to be resolved to avoid significant effects on business operations. Impact is a measure of the extent of the incident and of the potential damage caused by the incident before it can be resolved.
The size and capabilities of an incident response team are related to the desired resolution time of the incident. Without considering the impact dimensions, these criteria would not be effective in assigning classification levels to incidents.
Sensitivity and criticality of affected assets is related to the impact of an incident. Without considering the urgency of resolution, these criteria would not be effective in assigning classification levels to incidents.
Type and likely duration of an incident is related to the urgency of the incident. Without considering the impact dimensions, these criteria would not be effective in assigning classification levels to incidents.
Which of the following activities is performed during the detection and analysis phase of the incident response life cycle?
A.Assist in managing communication to news media
B.Assign a category based on the impact of the incident.
C.Determine accountability for the root cause
D.Notify the concerned stakeholders
B is the correct answer.
Justification
Assisting in proactively managing news media, social media, regulators, vendors and other third parties is part of the containment, eradication and recovery phase.
During the detection and analysis phase, the financial, legal, regulatory, operational and reputational impacts are determined. From this analysis, the incident can be assigned a category.
Identifying accountable parties for the incident root cause and assigning ownership of remedies is part of the post-incident activity phase.
Notifying concerned stakeholders is part of the response activities in the incident response plan.
A bank detects an intrusion into its network, finding that an external threat actor gained unauthorized access to a database containing sensitive customer data. Which of the following types of incidents does this BEST describe?
A. Unauthorized access
B. Privilege escalation
C. Data breach
D. Security incident
C is the correct answer.
Justification
While unauthorized access is indeed a component of the incident, simply categorizing it as unauthorized access might not fully capture the severity of the situation, as it doesn’t explicitly convey the compromise of sensitive customer data, which is a critical aspect of this scenario.
While privilege escalation may be one of the ways to gain access to unauthorized data, it is not the only way and does not fully address the incident. Data breach is a better classification of the incident, as it is defined as access, disclosure, or use of sensitive data by unauthorized entities.
This classification is most appropriate because the incident involves unauthorized access to a database containing sensitive customer data. A data breach occurs when sensitive or confidential information is accessed, disclosed, or used by unauthorized individuals or entities.
While the intrusion and unauthorized access could indeed be classified as a security incident, this term is quite broad and may not adequately convey the specific nature of the breach, which involves the compromise of sensitive customer data. Therefore, categorizing it as a data breach provides a more precise description of the incident.
Multiple security incidents are affecting various systems and personnel following a cyberattack targeting a generative artificial intelligence (AI) company. Which of the following would be BEST to determine if the incident needs to be reported externally?
A. The extent of data compromised and its potential impact on customers
B. The severity of the incident and the associated level of risk
C. The potential impact on the company’s reputation and customer trust
D. The potential regulatory implications and fines due to the incident
B is the correct answer.
Justification
While the extent of data compromised and its potential impact on customers are important considerations, they are part of the overall risk assessment and do not alone determine the need for external reporting.
The severity of the incident and the level of risk associated would include all possible scenarios and considerations to determine whether the incidents necessitated external reporting.
The potential impact on the company’s reputation and customer trust is a significant concern, but it is part of the overall risk assessment and does not alone determine the need for external reporting.
The potential regulatory implications and fines due to the incident are important considerations, but they are part of the overall risk assessment and do not alone determine the need for external reporting.
Which of the following is the MOST important reason to classify reported or detected security events or incidents?
A. To optimize limited incident response resources
B. To document the number of incidents in each category
C. To determine the escalation hierarchy for the incident
D. To monitor the performance of the incident response team
A is the correct answer.
Justification
Classifying incidents based on impact to the organization is essential to optimize the limited resources available when multiple incidents are detected/reported.
Documenting the number of incidents in each category is required for reporting but is not the most important reason.
Determining the escalation hierarchy may be required for high-risk incidents that cannot be closed in time, resulting in higher impact. Escalation may not be required for all incidents.
Monitoring the performance of the response team is not the most important reason for classification.
Which of the following could have the GREATEST impact on the restoration process during incident response?
A. Lack of engagement with the disaster recovery team
B. Lack of stakeholders’ commitment to incident response
C. Absence of process and requirements for an alert condition
D. Inadequate training and test planning for the incident response team
C is the correct answer.
Justification
Based on the alert condition, the incident response team meets to evaluate the damages and decide whether to declare a disaster or launch the response and recovery plan.
A lack of commitment may result in inefficiencies, but even with commitment, absence of an alert condition will have a bigger impact on the enterprise.
An alert situation prompts the notification to individuals within the enterprise who have authoritative decision-making responsibilities when an incident is suspected. If the process and requirements for the alert condition do not exist or are not effective, it could result in delays and unnecessary spread of the incident throughout the enterprise.
Training is important, but training on a flawed incident response plan would not be effective.
Which of the following would be the MAIN reason an information security manager would review issues reported to the IT help desk?
A. Issues require a resolution within agreed service levels.
B. Issues can be due to a possible security event or incident.
C. Security awareness training content needs updating to include new issues.
D. The knowledge repository should incorporate issues addressed by the service desk.
B is the correct answer.
Justification
Monitoring service level agreements (SLAs) for the service desk is not the main responsibility of a security manager.
User issues could be related to potential security incidents. Therefore, reviewing help desk tickets could enable early detection of events or incidents and aid in reducing the impact associated with such events or incidents.
Updating awareness content is one of the reasons a manager may review tickets, but it is not as important early detection of security incidents.
Reviewing and updating the knowledge repository for service desk employees is not the responsibility of the information security manager.
How can the information security manager BEST collaborate with management in defining and implementing the incident escalation process?
A. By clearly documenting the escalation process and authorized recovery actions
B. By establishing routine events as incidents to streamline emergency responses
C. By minimizing the documentation of the escalation process for simplicity
D. By avoiding detailed descriptions to expedite recovery action
A is the correct answer.
Justification
The information security manager should work with management to define and implement an escalation process to establish the events to be managed using incident management policies and procedures. A detailed description of the escalation process and hierarchy of authorities for various recovery actions or disasters must be clear and documented.
The primary emphasis should be on the clarity and documentation of the escalation process, not on categorizing routine events.
Detailed descriptions are considered important for effective emergency and incident management.
Avoiding detailed descriptions to expedite recovery actions is not the recommended approach, as there is a need for a detailed description of the escalation process and authorized recovery actions.
Which of the following factors would be the BEST to consider when escalating a cybersecurity incident to an internal response team?
A. Technical complexity and incident duration
B. Incident classification and categorization levels
C. Business processes and assets impacted
D. Experience of the incident response team
B is the correct answer.
Justification
The complexity of the technology environment does not mean an incident’s impact is going to be high or that important assets would be affected, requiring a quick response. The duration of an incident is important, but it cannot be determined before escalation.
Incident classification and categorization levels define the likely impact levels and urgency of the response. To have effective escalation, urgent and high-impact incidents require faster resolution.
Affected assets and processes are important, but these factors do not show the incident’s impact level. These may be important to know to effectively notify business stakeholders but not for incident responders.
The skills and capabilities of an incident responder must be combined with the type and nature of incidents so that the impact and urgency of incidents can be escalated for resolution effectively and efficiently. Seniority levels are important when an escalated incident cannot be resolved in a timely manner.
What is the PRIMARY reason for conducting triage?
A.To prioritize limited resources when handling incidents
B.To align with mandatory process steps in the incident handling process
C.To mitigate the chance of an incident occurring
D.To detect an incident before it can spread further
A is the correct answer.
Justification
The primary reason for conducting triage is that incident handling resources are limited, and they must be used for the greatest benefit. With categorization, prioritization and assignment of incidents based on their criticality, resources can be allocated more efficiently.
Triage is not generally considered a mandatory process in incident handling.
Triage does not mitigate an incident but applies available resources most effectively to address the impact.
Triage does not serve to detect incidents.
The BEST time to determine who should be responsible for declaring a disaster is:
A.during the establishment of the plan.
B.after an incident has been confirmed by operations staff.
C.after fully testing the incident management plan.
D.after the implementation details of the plan have been approved.
A is the correct answer.
Justification
Roles and responsibilities for all involved in incident response should be established when the incident response plan is established.
Determining roles and responsibilities during a disaster is not the best time to make such decisions, unless it is absolutely necessary.
While testing the plan may drive some changes in roles based on test results, roles (including who declares the disaster) should have been established before testing and plan approval.
Roles and responsibilities for all involved in incident response should be established when the incident response plan is established, not after the details have been approved.
In the context of establishing and maintaining processes for investigating and documenting information security incidents, which of the following BEST describes the role of legal and regulatory requirements?
A. They serve as optional guidelines for incident response procedures.
B. They provide a framework for collaboration between IT teams and management.
C. They dictate the minimum standards that must be followed to ensure compliance.
D. They primarily specify a baseline for the technical specifications of incident response planning.
C is the correct answer.
Justification
Legal and regulatory requirements are not optional guidelines. They are mandatory requirements that organizations must adhere to in order to comply with the law. Treating them as optional could lead to noncompliance and legal repercussions.
While legal and regulatory requirements may necessitate collaboration between different teams within an organization (including IT and management), their primary purpose is to ensure compliance with laws and regulations, not to serve as a collaboration framework.
Legal and regulatory requirements are not merely guidelines or recommendations; they often represent mandates that organizations must follow to comply with relevant laws and regulations. These requirements establish baseline standards for how organizations handle and respond to information security incidents.
Legal and regulatory requirements encompass more than just technical aspects of incident response planning. They often include requirements related to data protection, privacy, reporting obligations, and other legal considerations that go beyond purely technical concerns.
Which of the following is the PRIMARY purpose of classifying and categorizing cybersecurity incidents during incident response?
A. Preventing the recurrence of significant incidents
B. Using limited incident resources more efficiently
C. Ensuring an effective incident containment process
D. Improving the awareness of incident response teams
B is the correct answer.
Justification
Significant incidents cannot always be prevented due to the existence of vulnerabilities. Classification and categorization of cybersecurity incidents do not prevent incident recurrence.
The main objective of incident classification and categorization is to assign limited incident resources to where they can be most effective rather than on a first-come, first-serve basis. This approach ensures that resources are allocated efficiently, focusing on the most critical threats first.
Containment includes all the activities, tasks, and steps taken to limit or reduce the impact of an incident. Incident classification and categorization can help incident containment activities by ensuring a prompt response but do not ensure that these activities are conducted effectively.
Although classified and categorized incidents should be treated appropriately by incident response team members, the main objective of classification and categorization of cybersecurity incidents is not to improve the awareness of the incident response teams.
A malicious insider intentionally alters critical configuration settings on a production server, using administrator access privileges, and causes a disruption in services. How should this incident be categorized?
A. Insider threat
B. Configuration error
C. Privilege escalation
D. Denial of service
A is the correct answer.
Justification
The incident involves a malicious insider who intentionally alters critical configuration settings on a production server. An insider threat refers to the risk posed to an organization’s security or data by individuals who have insider access and knowledge, such as employees, contractors, or partners, and who misuse their privileges for malicious purposes.
A configuration error typically refers to incidents caused by unintentional misconfigurations or errors in system settings or configurations that lead to security vulnerabilities. However, in this scenario, the alteration of critical configuration settings was intentional and aimed at causing disruption, rather than being unintentional.
Privilege escalation occurs when an attacker starts with an account without elevated privileges, exploits vulnerabilities, and gains higher privileges. Here, the insider may already have an admin account and is using it for malicious intentions. Hence, the incident is better classified as an insider threat.
Denial of service involves malicious attempts to disrupt or deny access to services or resources. In this scenario, the disruption in services caused by the alteration of configuration settings aligns with the outcome of a denial-of-service attack. However, the root cause of the disruption is the intentional actions of a malicious insider, which distinguishes it from a typical denial of service attack initiated by external actors.
Which of the following tests gives the MOST assurance that a business continuity plan works, without potentially impacting business operations?
A.Checklist tests
B.Simulation tests
C.Walk-through tests
D.Full operational tests
B is the correct answer.
Justification
With checklist tests, copies of the business continuity plan are distributed to various persons for review. In these tests, people do not exercise a plan.
Business continuity coordinators come together to practice executing a plan based on a specific scenario. This does not interrupt normal operations and provides the most assurance of the given nonintrusive methods.
In walk-through tests, representatives come together to go over the plan (one or more scenarios) and ensure the plan’s accuracy. The plan itself is not executed.
Full operational tests are the most intrusive to regular operations and business productivity. The original site is actually shut down and processing is performed at another site, thus providing the most assurance, but interrupting normal business productivity.
The effectiveness of an incident response team is BEST measured by the:
A.percentage of incidents resolved within previously agreed-on time limits.
B.number of change requests submitted as a result of reported incidents.
C.percentage of unresolved events still open at the end of any given month.
D.number of incidents originating from external sources.
A is the correct answer.
Justification
The goal of incident response is to resolve incidents within agreed-on time limits.
The number of change requests related to infrastructure changes simply indicates that there have been required changes to the internal architecture. Those change requests may or may not have anything to do with found vulnerabilities or reported incidents.
The end of the month is an arbitrary time, unrelated to agreed-on time limits for incident resolution.
The source of incidents does not provide input concerning the effectiveness of incident management.
Which of the following is the BEST indicator that operational risk is effectively managed in an enterprise?
A.A tested business continuity plan/disaster recovery plan
B.An increase in timely reporting of incidents by employees
C.Extent of risk management education
D.Regular review of risk by senior management
A is the correct answer.
Justification
A tested business continuity plan/disaster recovery plan is the best indicator that operational risk is managed effectively in the enterprise.
Reporting incidents by employees is an indicator but not the best choice, because it is dependent upon the knowledge of the employees.
Extent of risk management education is not correct, because it may not necessarily indicate that risk is effectively managed in the enterprise. A high level of risk management education would help but would not necessarily mean that risk is managed effectively.
Regular review of risk by senior management is not correct because it may not necessarily indicate that risk is effectively managed in the enterprise. Top management involvement would greatly help but would not necessarily mean that risk is managed effectively.
Which of the following BEST helps an enterprise improve its incident response process for insider threats?
A. Strengthen technical controls to prevent insider threats.
B. Delay communication with law enforcement agencies until all facts are verified.
C. Assign blame to the insider responsible for the incident.
D. Provide regular security awareness training on detecting and reporting insider threats.
D is the correct answer.
Justification
While technical controls are important for preventing insider threats, relying solely on preventing them may not be sufficient. Insider threats can involve deliberate actions by individuals with legitimate access, making it essential to complement technical controls with employee awareness and reporting mechanisms.
While communication with law enforcement agencies may be necessary for certain insider threat incidents, delaying communication until all facts are verified could hinder timely response efforts. Prompt reporting of insider threats to law enforcement can aid in investigation and resolution, helping to mitigate the impact of the incident.
While accountability is important, assigning blame and punishment should not be the primary focus when improving incident response for insider threats. Instead, the focus should be on understanding the root causes of the incident, enhancing detection and prevention measures, and fostering a culture of security awareness and collaboration within the organization.
By raising awareness and empowering employees to recognize and report insider threats, the organization can enhance its ability to detect and respond to such incidents effectively.
Which one of the following measures will BEST indicate the effectiveness of an incident response process?
A.Number of open incidents
B.Reduction of the number of security incidents
C.Reduction of the average response time to an incident
D.Number of incidents handled per month
C is the correct answer.
Justification
The total number of open incidents is not an indicator of incident response effectiveness because the team does not have direct control over the number of incidents it must handle at any given time.
Reduction of the number of security incidents generally cannot be attributed to the effectiveness of the response team but rather to improved controls.
Reduction of response time helps minimize the impact of the incident and is the best indicator of the effectiveness of the incident response process.
The number of incidents handled per month would not be a direct indicator of team effectiveness.
Which of the following is the MOST effective method to ensure that a business continuity plan (BCP) meets an enterprise’s needs?
A.Require quarterly updating of the BCP.
B.Automate the survey of plan owners to obtain input to the plan.
C.Periodically test the cross-departmental plan with varied scenarios.
D.Conduct face-to-face meetings with management for discussion and analysis.
C is the correct answer.
Justification
Quarterly updates do not establish that a plan meets the enterprise’s needs.
Automated surveys are a method that could be used during testing but, on its own, is not sufficient.
Cross-departmental testing of a plan with varied scenarios is most effective in determining the validity of a business continuity plan (BCP).
Face-to-face meetings is a method that could be used during testing but, on its own, is not sufficient.
The PRIMARY objective of measuring the cybersecurity incident response capability is to:
A.reduce the overall number of incidents over time.
B.reduce the mean time of detection, eradication and recovery from incidents.
C.increase awareness of the effectiveness of the capabilities of senior management.
D.increase accuracy of the detection of cybersecurity incidents.
B is the correct answer.
Justification
The objective is to measure the effectiveness of the response to cybersecurity incidents, not reduce the number of incidents overall.
Reducing the mean time to detect, respond and recover is aligned with the objective of cybersecurity incident response.
While it is important to increase awareness, this is not the primary objective of incident response.
Increasing the accuracy of detecting cybersecurity incidents is the objective of security monitoring, not incident response.
Observations made by staff during a disaster recovery test are PRIMARILY reviewed to:
A.identify people who have not followed the process.
B.determine lessons learned.
C.identify equipment that is needed.
D.maintain evidence of review.
B is the correct answer.
Justification
It is not the aim of observation to identify people who have not followed the process.
After a test, results should be reviewed to ensure that lessons learned are applied.
Identifying equipment that is needed may be part of the lessons learned but is not the sole reason for the review.
Review is conducted not only to maintain evidence but also to make improvements.
Which of the following gives the MOST assurance of the effectiveness of an enterprise’s disaster recovery plan?
A.Checklist test
B.Table-top exercise
C.Full interruption test
D.Simulation test
C is the correct answer.
Justification
A checklist test does not provide more assurance than a full interruption test. Checklist tests are a preliminary step to a real test. Recovery checklists are distributed to all members of a recovery team to review and ensure that the checklist is current.
A table-top exercise does not provide more assurance than a full interruption test. Table-top exercises may consist of virtual walk-throughs of the disaster recovery plan (DRP), or they may involve virtual walk-throughs of the DRP based on different scenarios.
A full interruption test gives the enterprise the best assurance because it is the closest test to an actual disaster. It generally involves shutting down operations at the primary site and shifting them to the recovery site in accordance with the recovery plan; this is the most rigorous form of testing.
A simulation test does not provide more assurance than a full interruption test. During simulation testing, the recovery team role-plays a prepared disaster scenario without activating processing at the recovery site.
Which of the following types of incident and disaster plan recovery tests provides the MOST effective and reliable results for modification of the plan while minimizing risk to business operations?
A. Structured walkthrough
B. Full-interruption test
C. Parallel test
D. Simulation test
C is the correct answer.
Justification
A structured walkthrough test requires only that representatives from each operational area meet to review the plan procedures physically and then implement the plans on paper and review each step to assess its effectiveness and identify enhancements, constraints, and deficiencies. The quality of the results depends on the team’s capabilities and will not be as effective as parallel testing.
Full interruption tests can provide the most effective results for all aspects of incident response and recovery capabilities of a plan. The primary site is brought down, and recovery sites are activated; therefore, it is the most disruptive to business operations.
In parallel testing, the incident response and recovery team actually tests the incident response and recovery roles in a test environment or offsite recovery site. Parallel testing is the most realistic simulation and provides teams with the best feedback about their roles without risking business operations.
In simulation tests, a recovery team walks through a scripted simulation and discusses assessment and recovery procedures to determine whether a recovery plan is reasonable, but the results will not be as reliable as parallel testing.
Which of the following is the BEST way to confirm that disaster recovery planning is current?
A.Audits of the business process changes
B.Maintenance of the latest configurations
C.Regular testing of the disaster recovery plan
D.Maintenance of the personnel contact list
C is the correct answer.
Justification
Auditing business process changes will not necessarily enable maintenance of the disaster recovery plan (DRP).
Maintenance of the latest configuration will not show how current the process is, which is vital for disaster recovery planning.
When a DRP is properly tested, the results of the tests will reveal shortcomings and opportunities for improvement.
The maintenance of the personnel contact list is an indication of the personnel to be involved in the DRP. Although indicative of how current the DRP is, the DRP also should include the suppliers, customers and vendors needed for its success.
Different types of tests exist for testing the effectiveness of recovery plans. Which of the following choices would occur during a parallel test but not occur during a simulation test?
A.The team members step through the individual recovery tasks.
B.The primary site operations are interrupted.
C.A fictitious scenario is used for the test.
D.The recovery site is brought to operational readiness.
D is the correct answer.
Justification
A walk-through of all necessary recovery tasks is part of both tests.
Only a full interruption test includes interruption of primary site operations.
Both parallel tests and simulation tests rely on fictitious scenarios.
A parallel recovery test includes the test of the operational capabilities of the recovery site, while a simulation test focuses on role-playing.
What is the MOST appropriate IT incident response management approach for an enterprise that has outsourced its IT and incident management function?
A.A tested plan and a team to provide oversight
B.An individual to serve as the liaison between the parties
C.Clear notification and reporting channels
D.A periodic audit of the provider’s capabilities
A is the correct answer.
Justification
An approved and tested plan will provide assurance of the provider’s ability to address incidents within an acceptable recovery time, and an internal team’s ability to provide oversight and liaison functions that ensure the response is executed according to plan.
Identifying a liaison is not sufficient by itself to provide assurance of adequate incident response performance.
Notification and reporting is not a sufficient assurance of suitable response activities and provides no capability for input, participation or addressing related issues in a timely manner.
Audits provide a periodic snapshot of the sufficiency of the provider’s plans and capabilities but are not adequate to manage collateral and consequential issues in the event of a significant incident.
Untested response plans:
A.depend on up-to-date contact information.
B.pose an unacceptable risk to the enterprise.
C.pose a risk that the plan will not work when needed.
D.are quickly distinguished from tested plans.
C is the correct answer.
Justification
While up-to-date contact information is important, it is no more important for an untested plan than for a tested plan.
Whether a risk is acceptable or not is a business determination and is not a function of testing.
A response plan may prove unworkable upon testing despite appearing to cover all areas as written.
Whether a plan has been tested is not quickly apparent from inspection.
The MOST important reason to frequently test the malware incident response playbook is to:
A.identify gaps in the procedures.
B.reduce the cost of execution.
C.provide real-time malware protection to the customers.
D.reduce the duration of the incident containment phase.
A is the correct answer.
Justification
The most important reason to frequently test an incident response playbook is to identity weaknesses and gaps in the procedures during incident eradication and recovery activities.
Cost is not the main reason for testing the playbook.
Playbooks are used to eradicate malware after the infection, not to provide real-time protection.
The incident response playbook does not reduce the duration of the incident containment process.
The systems administrator forgot to immediately notify the security officer about a malicious attack. An information security manager could prevent this situation by:
A.periodically testing the incident response plans.
B.regularly testing the intrusion detection system.
C.establishing mandatory training of all personnel.
D.periodically reviewing incident response procedures.
A is the correct answer.
Justification
Security incident response plans should be tested to find any deficiencies and improve existing processes.
Testing the intrusion detection system is a good practice but would not have prevented this situation.
All personnel need to go through formal training to ensure they understand the process, tools and methodology involved in handling security incidents. However, testing of the actual plans is more effective in ensuring that the process works as intended.
Reviewing the response procedures is not enough; the security response plan needs to be tested on a regular basis.
Which of the following is MOST likely to improve the effectiveness of the incident response team?
A.Briefing team members on the nature of new threats to information systems (IS) security
B.Periodic testing and updates to incorporate lessons learned
C.Ensuring that all members have a good understanding of IS technology
D.A non-hierarchical structure to ensure that team members can share ideas
B is the correct answer.
Justification
The fact that threats can materialize into an incident requires the presence of system vulnerabilities. It is the vulnerabilities that should be the focus of analysis when considering incident management procedures.
Periodic testing and updates to incorporate lessons learned will ensure that implementation of the incident management response plan is aligned and kept current with the business priorities set by business management.
All members of the incident management response team do not need to have IS skills. Members who take charge of implementing the incident management response plan should be able to use different skills to ensure alignment with the enterprise’s procedures and policies.
It is important that someone take ownership of implementing the incident management plan (e.g., to formally declare that such a plan needs to be put into place after an incident). A non-hierarchical structure can introduce ambiguity as to who is responsible for what aspects of the incident management response plan.
The MOST effective way to test the incident response plan is to conduct a:
A.red team test.
B.penetration test.
C.simulation test.
D.vulnerability scan.
C is the correct answer.
Justification
A red team test is a simulation of a real-life attack on the enterprise. It does not necessarily relate to testing the incident response plan.
A penetration test is a simulated test to break into the enterprise’s network infrastructure. It does not necessarily relate to testing the incident response plan.
A simulation test will ensure that all personnel know exactly what to do when an incident occurs.
Vulnerability scanning detects defects in the enterprise’s infrastructure and applications. It does not necessarily relate to testing the incident response plan.
Which of the following actions is the BEST to ensure that incident response activities are consistent with the requirements of business continuity?
A.Develop a scenario and perform a structured walk-through.
B.Draft and publish a clear practice for enterprise-level incident response.
C.Establish a cross-departmental working group to share perspectives.
D.Develop a project plan for end-to-end testing of disaster recovery.
A is the correct answer.
Justification
A structured walk-through including both incident response and business continuity personnel provides the best opportunity to identify gaps or misalignments between the plans.
Publishing an enterprise-level incident response plan would be effective only if business continuity aligned itself to incident response. Incident response supports business continuity, not the other way around.
Sharing perspectives is valuable, but a working group does not necessarily lead to action ensuring that the interface between plans is workable.
A project plan developed for disaster recovery will not necessarily address deficiencies in business continuity or incident response.
Which of the following functions is responsible for determining the members of the enterprise’s response teams?
A.Governance
B.Risk management
C.Compliance
D.Information security
D is the correct answer.
Justification
The governance function will determine the strategy and policies that will set the scope and charter for incident management and response capabilities.
While response is a component of managing risk, the basis for risk management is determined by governance and strategy requirements.
Compliance would not be directly related to this activity, although this function may have representation on the incident response team.
The information security manager, or designated manager for incident response, should select the team members to ensure that all required disciplines are represented on the team.
Which of the following choices is a characteristic of security information and event management (SIEM) technology?
A.SIEM promotes compliance with security policies.
B.SIEM is primarily a means of managing residual risk.
C.SIEM replaces the need to install a firewall.
D.SIEM provides a full range of compensating controls.
A is the correct answer.
Justification
If properly deployed, configured and tuned, security information and event management (SIEM) can provide information on policy compliance, incident monitoring and other capabilities.
SIEM is not used to manage residual risk.
SIEM is an automated review of logs through aggregation and correlation and does not replace the need for firewalls.
SIEM provides a series of detective controls, not compensating controls.
Which of the following technologies is likely to be the MOST useful in countering advanced persistent threats?
A.Anomaly-based intrusion detection system
B.Security information and event management system
C.Automated vulnerability scanning tools
D.Integrated network management system
B is the correct answer.
Justification
Intrusion detection systems can detect and notify of a potential attack but provide no information on subsequent breaches, making them less effective at identifying persistent threats than system information and event management (SIEM) systems.
SIEM systems can identify incidents or potential incidents, prioritize according to potential impact, track incidents until they are closed, and provide substantial trend analysis over time.
Vulnerability scanning tools identify weaknesses in systems and networks that correspond to known paradigms. In general, advanced persistent threats (APTs) involve exploits that are outside the scope of published vulnerabilities, making vulnerability scanning a limited countermeasure against APTs.
Integrated network management typically provides a limited subset of the capabilities of fully implemented SIEM.
The PRIMARY objective of continuous monitoring is to:
A.minimize the magnitude of impact.
B.align the security program with IT goals.
C.identify critical information assets.
D.reduce the number of policy exceptions.
A is the correct answer.
Justification
Continuous monitoring helps an enterprise identify adverse events in a timely manner. The reduced lag time to take steps to contain damage results in minimizing the impact.
Aligning the security program with IT goals is a derived benefit of continuous monitoring rather than the primary objective.
Identifying critical information assets is a prerequisite for implementing continuous monitoring.
Reduction of policy exceptions is not a direct benefit of continuous monitoring.
An enterprise has been experiencing a number of network-based security attacks that all appear to originate internally. What is the BEST course of action?
A.Require the use of strong passwords.
B.Assign static Internet Protocol addresses.
C.Implement centralized logging software.
D.Install an intrusion detection system.
D is the correct answer.
Justification
Requiring the use of strong passwords will not be sufficiently effective against an internal network-based attack.
Assigning Internet Protocol (IP) addresses would not be effective since these can be spoofed.
Implementing centralized logging software will not necessarily provide information on the source of the attack.
Installing an intrusion detection system (IDS) will allow the information security manager to better pinpoint the source of the attack so that countermeasures may then be taken. An IDS is not limited to detection of attacks originating externally. Proper placement of agents on the internal network can be effectively used to detect an internally based attack.
Which of the following MOST effectively reduces false-positive alerts generated by a security information and event management process?
A.Building use cases
B.Conducting a network traffic analysis
C.Performing an asset-based risk assessment
D.The quality of the logs
A is the correct answer.
Justification
Implementing a security information and event management (SIEM) process helps ensure that incidents are correctly identified and handled appropriately. Because an SIEM process depends on log analysis based on predefined rules, the most effective way to reduce false-positive alerts is to develop use cases for known threats to identified critical systems. The use cases would then inform development of appropriate rules for the SIEM solution.
Although security monitoring requires traffic analysis, only properly defined use cases can ensure that the rules are accurately defined and that events are properly identified, thereby reducing false-positive alerts.
A risk assessment will not reduce false positive alerts.
The quality of the logs can affect alerts but is usually a minor consideration.
Which of the following choices is MOST important to ensure the admissibility of forensic evidence?
A.Adequacy of the retention period
B.Storage on read-only media
C.Review by an independent authority
D.Traceability of control
D is the correct answer.
Justification
While evidence must necessarily be retained long enough to be submitted, the length of the retention period does not itself affect the admissibility of evidence.
Read-only media reduces the possibility of tampering as a technical capability, but maintenance of a chain of custody serves as an adequate safeguard in any case.
Review by an independent authority does not guarantee admissibility.
Evidence is inadmissible without a clear chain of custody, which is a tracing of who had control of the evidence throughout the process.
A security operations center detected an attempted structured query language injection but could not determine if it was successful. Which of the following resources should the information security manager approach to assess the possible impact?
A.Application support team
B.Business process owner
C.Network management team
D.System administrator
A is the correct answer.
Justification
Structured query language (SQL) injection is an application-based attack. Because the security operations center has detected an attempt of SQL injection and could not determine if it was successful, the information security manager should approach the application support group that has access to data in order to identify the impact.
The business process owner may help the application support group determine the overall impact, after it has been determined if the attack has been successful.
Because SQL injection is an application-based attack, the network management team is not the best resource to assess the possible impact.
The system administrator is not the best resource to assess the possible impact but may assist the application support team and assist with incident response activities, should the attack have been successful.
What is the FIRST step in investigating an information security incident for which the enterprise may want to file criminal charges?
A.Notify law enforcement and senior management
B.Prevent contamination of evidence
C.Activate the incident response team
D.Contain the scope of impact
B is the correct answer.
Justification
Notification to law enforcement or senior management may occur in tandem with other activities, but preventing contamination of evidence takes priority. In many enterprises, the decision to notify law enforcement is made by senior management.
If criminal charges may be filed, preventing contamination of evidence is the foremost concern to facilitate prosecution.
Activation of the incident response team must be delayed until after steps have been taken to prevent contamination of evidence in situations where criminal charges may be filed.
Containment is part of an effective incident response strategy, but preventing contamination of evidence takes priority over containment in situation where criminal charges may be filed.
Which of the following is the FIRST step after the intrusion detection system sends out an alert about a possible attack?
A.Assess the type and severity of the attack.
B.Determine whether it is an actual incident.
C.Contain the damage to minimize the risk.
D.Minimize the disruption of computer resources.
B is the correct answer.
Justification
The type and severity of the attack should be studied after it is concluded that the incident is valid.
An administrator conducting regular maintenance activities may trigger a false-positive alarm from the intrusion detection system. One must validate a real incident before taking any action.
Damage should be contained and risk minimized after confirming a valid incident, thus discovering the type and severity of the attack.
One of the goals of incident response is to minimize the disruption of computer resources.
In the course of examining a computer system for forensic evidence, data on the suspect media were inadvertently altered. Which of the following should have been the FIRST course of action in the investigative process?
A.Perform a backup of the suspect media to new media.
B.Create a bit-for-bit image of the original media source onto new media.
C.Make a copy of all files that are relevant to the investigation.
D.Run an error-checking program on all logical drives to ensure there are no disk errors.
B is the correct answer.
Justification
A backup does not preserve 100 percent of the data, such as erased or deleted files and data in slack space—which may be critical to the investigative process.
The original hard drive or suspect media should never be used as the source for analysis. The source or original media should be physically secured and only used as the master to create a bit-for-bit image. The original should be stored using the appropriate chain of custody procedures, depending on location. The image created for forensic analysis should be used for analysis.
Once data from the source are altered, they may no longer be admissible in court.
Continuing the investigation and documenting the date, time and data altered are actions that may not be admissible in legal proceedings. The enterprise would need to know the details of collecting and preserving forensic evidence relevant to the jurisdiction.
A computer incident response team manual should PRIMARILY contain which of the following documents?
A.Risk assessment results
B.Severity criteria
C.Emergency call tree directory
D.Table of critical backup files
B is the correct answer.
Justification
Risk assessment results are a document that would not likely be included in a computer incident response team (CIRT) manual.
Quickly ranking the severity criteria of an incident is a key element of incident response.
The emergency call tree directory is a document that would not likely be included in a CIRT manual.
A table of critical backup files is a document that would not likely be included in a CIRT manual.
Which of the following procedures would provide the BEST protection if an intruder or malicious program gained super user (e.g., root) access to a system?
A.Prevent the system administrators from accessing the system pending investigation of the incident.
B.Inspect the system and intrusion detection output to identify all changes and then undo them.
C.Rebuild the system using original media.
D.Change all passwords, then resume normal operations.
C is the correct answer.
Justification
Preventing access by system administrators provides no protection and does nothing to restore the system.
Root access makes it possible to initiate changes that are difficult or impossible to locate, so undoing all changes is not an acceptable choice to resolve the issue.
If someone, or a malicious program, gains superuser privileges to a system without authorization, the enterprise never knows what the perpetrator or program has done to the system. The only way to assure the integrity of the system is to wipe it clean by either performing a low-level format on the hard disk or replacing it with a new one (usually after making a bit copy backup for the purpose of further analysis and to prevent the destruction of data that may not exist elsewhere) and then starting over again by reinstalling the operating system and applications using original media.
Changing passwords provides no protection against any malicious changes made to the system.
Which of the following choices is MOST important to verify to ensure the availability of key business processes at an alternate site?
A.Recovery time objective
B.Functional delegation matrix
C.Staff availability to the site
D.End-to-end transaction flow
D is the correct answer.
Justification
Recovery time objective (RTO) may only address a part of requirements to ensure end-to-end business operations at the alternate site.
Functional delegation is of secondary importance to ensure the process availability at the alternate site.
Staff availability is important only to the extent that it impacts process availability at the alternate site.
Until end-to-end transaction flow is established, recovery is not complete. Whether the RTO has been met is less important than achieving full recovery.
In a forensic investigation, which of the following would be the MOST important factor?
A.Operation of a robust incident management process
B.Identification of areas of responsibility
C.Involvement of law enforcement
D.Expertise of resources
D is the correct answer.
Justification
Operation of a robust incident management process should occur prior to an investigation.
The identification of areas of responsibility should occur prior to an investigation.
Involvement of law enforcement is dependent upon the nature of the investigation.
The most important factor in a forensic investigation is the expertise of the resources participating in the project, due to the inherent complexity.
Which of the following is the MOST important aspect of forensic investigations that will potentially involve legal action?
A.The independence of the investigator
B.Timely intervention
C.Identifying the perpetrator
D.Chain of custody
D is the correct answer.
Justification
The independence of the investigator may be important but is not the most important aspect.
Timely intervention is important for containing incidents but not important for forensic investigation.
Identifying the perpetrator is important, but maintaining the chain of custody is more important in order to have the perpetrator convicted in court.
Establishing the chain of custody is one of the most important steps in conducting forensic investigations because it preserves the evidence in a manner that is admissible in court.
Which of the following actions should take place immediately after a security breach is reported to an information security manager?
A.Confirm the incident.
B.Determine impact.
C.Notify affected stakeholders.
D.Isolate the incident.
A is the correct answer.
Justification
Before performing analysis of impact, notification, or isolation of an incident, it must be validated as a real security incident.
Before performing analysis of the impact of an incident, it must be validated as a real security incident.
Before notification of stakeholders, it must be validated as a real security incident.
Before isolation of an incident, it must be validated as a real security incident.
Which of the following would be MOST appropriate for collecting and preserving evidence?
A.Encrypted hard drives
B.Generic audit software
C.Proven forensic processes
D.Log correlation software
C is the correct answer.
Justification
Whether hard drives are encrypted is not relevant to collecting and preserving evidence.
Audit software is not useful for collecting and preserving evidence.
When collecting evidence about a security incident, it is very important to follow appropriate forensic procedures to handle electronic evidence using a method approved by local jurisdictions.
Log correlation software may help when collecting data about an incident; however, these data might not be accepted as evidence in a court of law if they are not collected using a method approved by local jurisdictions.
Which of the following types of insurance coverage would protect an enterprise against dishonest or fraudulent behavior by its own employees?
A.Fidelity
B.Business interruption
C.Valuable papers and records
D.Business continuity
A is the correct answer.
Justification
Fidelity coverage means insurance coverage against loss from dishonesty or fraud by employees.
Business interruption insurance protects against losses from events that prevent the business from operating.
Valuable papers and records insurance protects against the costs associated with the destruction of business records due to fire, flood or other incident.
Business continuity insurance is similar to business interruption coverage but generally provides broader protection.
Which of the following is the MOST appropriate quality that an incident handler should possess?
A.Presentation skills for management report
B.Ability to follow policies and procedures
C.Integrity in all actions
D.Ability to cope with stress
D is the correct answer.
Justification
Presentation skills are useful for preparing management reports but are not the most essential quality.
The ability to follow policies and procedures is important, but incidents are unanticipated and chaotic. It is likely there are no specific policies or procedures to deal with them, and for an individual who cannot cope with the stress of an incident, the ability is of little value.
Integrity is an essential quality, but an employee who lacks it probably should not be employed by the enterprise.
Incident handlers work in high-stress environments when dealing with incidents. Incorrect decisions are likely to be made by individuals unable to cope with stress; thus, the primary quality of incident handlers is to cope with stress.
When creating a forensic image of a hard drive, which of the following should be the FIRST step?
A.Identify a recognized forensics software tool to create the image.
B.Establish a chain of custody log.
C.Connect the hard drive to a write blocker.
D.Generate a cryptographic hash of the hard drive contents.
B is the correct answer.
Justification
Identifying a recognized forensics software tool to create the image is one of the important steps, but it should come after several of the other options.
The first step in any investigation requiring the creation of a forensic image should always be to maintain the chain of custody.
Connecting the hard drive to a write blocker is an important step, but it must be done after the chain of custody has been established.
Generating a cryptographic hash of the hard drive contents is another important subsequent step.
To determine how a security breach occurred on the corporate network, a security manager looks at the logs of various devices. Which of the following BEST facilitates the correlation and review of these logs?
A.Database server
B.Domain name server
C.Time server
D.Proxy server
C is the correct answer.
Justification
The database server would not assist in the correlation and review of the logs.
The domain name server would not assist in the correlation and review of the logs.
To accurately reconstruct the course of events, a time reference is needed, and that is provided by the time server.
The proxy server would not assist in the correlation and review of the logs.
Which of the following is the BEST solution for addressing the time lag in incident identification when detection relies mainly on event log review?
A.Introduce impact analysis to the log event review process.
B.Increase the headcount to review events captured in the logs.
C.Reduce the number of security events recorded in the logs.
D.Have log events associated with a security information and event management system.
D is the correct answer.
Justification
Impact analysis may help to assess the damage to the business. It may somewhat enhance the quality of log analysis; however, it would not support the accomplishment of the timely detection of an incident.
Increasing the number of employees is a costly approach that requires additional workload. There is still a risk that significant events could be overlooked, even if the log is reviewed with an increased headcount.
Reducing the number of security events to be recorded may not directly contribute to the timely detection of an incident. Reducing the number of events reported in the logs may increase the risk of unidentified events.
A monitoring system, such as a security information and event management system (SIEM), would interface with production systems. Therefore, log events would be sent to the agent layer of the security management system, followed by the analysis and escalation steps. This approach would compensate for the disadvantages involved in the periodic review of log events.
A forensic team was commissioned to perform an analysis of unrecognized processes running on a desktop personal computer. The lead investigator advised the team against disconnecting the power in order to:
A.prevent disk corruption.
B.conduct a hot-swap of the main disk drive.
C.avoid loss of data in server logs.
D.avoid loss of data stored in volatile memory.
D is the correct answer.
Justification
Preventing disk corruption does not address capture of the data that exist in volatile memory.
Conducing a hot-swap of the main disk drive does not address capture of the data that exist in volatile memory.
Avoiding loss of data in server logs does not address capture of the data that exist in volatile memory.
Disconnecting power from a system results in loss of data stored in volatile memory. Those data could be vital for the investigation and for understanding the extent of the impact of the event. Disconnecting power is not recommended if analysis of running processes or the content of volatile memory is required.
Which of the following is the PRIMARY function of an endpoint detection and response system?
A.To analyze security alerts generated by network devices
B.To review activity data and logs from end points and systems to indicate a threat
C.To block and remove viruses from the end points
D.To use forensics and analysis tools to research identified threats and suspicious activities
D is the correct answer.
Justification
A network monitoring system provides analysis of security alerts generated by network devices.
A security information and event management system monitors activity data and log from endpoints and systems that could indicate a threat.
Endpoint detection and response (EDR) not only includes antiviruses but also contains security tools like firewall, whitelisting tools, monitoring tools, etc., to provide comprehensive protection against digital threats. However, this is not its primary function.
An EDR system, in addition to providing analysis and prevention, has forensic capabilities that facilitate post-incident investigation and security research.
In following up on a security incident, the system administrator is to copy data from one hard disk to another. From a forensic perspective, which of the following tasks must be ensured?
A.Copy to the same disk model as the original.
B.Make a dual backup of the original disk.
C.Keep the digital hash from both hard disks.
D.Perform a restoration test after replication.
C is the correct answer.
Justification
For a copy, the target hard disk does not require the same specification as the original disk; therefore, this is not the best choice.
It is a good practice to make a dual backup; however, it does not prove that data are not modified by anyone.
In order to prove that data are not modified before and after the copy is made, it is best to keep a digital hash from both hard disks. The hashes alone are not adequate to meet the standards of evidence admissibility, but they will support other aspects of integrity in the context of data forensics.
It is a good practice to perform a restoration test. This is to ensure availability rather than to maintain evidential capability.
Which of the following is the MOST serious exposure of automatically updating virus signature files on every desktop each Friday at 11:00 p.m. (2300 hours)?
A.Most new viruses’ signatures are identified over weekends.
B.Technical personnel are not available to support the operation.
C.Systems are vulnerable to new viruses during the intervening week.
D.The update’s success or failure is not known until Monday.
C is the correct answer.
Justification
The fact that most new viruses’ signatures are identified over weekends is secondary to leaving systems vulnerable during the intervening week.
The fact that technical personnel are not available is secondary to leaving systems vulnerable during the intervening week.
Updating virus signature files on a weekly basis carries the risk that the systems will be vulnerable to viruses released during the week; far more frequent updating is essential.
The fact that success or failure is not known until Monday is secondary to leaving systems vulnerable during the intervening week.
Which of the following is the MOST critical consideration when collecting and preserving admissible evidence during an incident response?
A.Unplugging the systems
B.Chain of custody
C.Segregation of duties
D.Clock synchronization
B is the correct answer.
Justification
Unplugging the systems is generally the preferred option in preserving evidence but is just one step.
Admissible evidence must be collected and preserved by maintaining the chain of custody.
Segregation of duties is not necessary in evidence collection and preservation because the entire process can be executed by a single person.
Clock synchronization is not as important for the collection and preservation of admissible evidence
Which of the following choices is the BEST method of determining the impact of a distributed denial-of-service attack on a business?
A.Identify the sources of the malicious traffic.
B.Interview the users and document their responses.
C.Determine the criticality of the affected services.
D.Review the logs of the firewalls and intrusion detection system.
C is the correct answer.
Justification
Identifying the sources of the attack may be useful to stop the attack but does not aid in determining impact.
The overall impact of a distributed denial-of-service attack may be beyond the comprehension of the users, as servers, databases, routers, etc., may be affected.
Criticality of affected services will determine the impact on the business. If affected services are not critical, then there is no cause for alarm.
Logs may identify the nature of the attack rather than the impact.
Why is slack space of value to an information security manager as part of an incident investigation?
A.Hidden data may be stored there.
B.The slack space contains login information.
C.Slack space is encrypted.
D.It provides flexible space for the investigation.
A is the correct answer.
Justification
Slack space is the unused space between where the file data end and the end of the cluster the data occupy.
Login information is not typically stored in the slack space.
Encryption for the slack space is no different from the rest of the file system.
Slack space is not a viable means of storage during an investigation.
Which of the following is MOST important when collecting evidence for forensic analysis?
A.Ensure the assignment of qualified personnel.
B.Request the IT department do an image copy.
C.Disconnect from the network and isolate the affected devices.
D.Ensure law enforcement personnel are present before the forensic analysis commences.
A is the correct answer.
Justification
Without the initial assignment of forensic expertise, the required levels of evidence may not be preserved properly.
The IT department is unlikely to have the necessary level of expertise and should, therefore, be prevented from taking action.
Disconnecting from the network may be a prudent step prior to collecting evidence but does not eliminate the requirement for properly qualified forensic personnel.
Notifying law enforcement will likely occur after the forensic analysis has been completed.
Which action should the information security manager first take when alerted to a possible cybersecurity incident by the security operations center team?
A.Contain and eradicate the incident
B.Initiate incident analysis
C.Gather and handle evidence
D.Perform incident eradication and recovery
B is the correct answer.
Justification
Containing and eradicating the incident would occur only after the incident is validated.
The first step in incident response is to confirm the incident is valid. This would be done through incident analysis.
Evidence gathering, eradication and containment occur after the incident is confirmed.
Recovery, evidence gathering, eradication and containment occur after the incident is confirmed.
Although control effectiveness has recently been tested, a serious compromise occurred. What is the FIRST action the information security manager should take?
A.Evaluate control objectives.
B.Develop more stringent controls.
C.Perform a root cause analysis.
D.Repeat the control test.
C is the correct answer.
Justification
Control objectives cannot be evaluated until the exact nature of the compromise is understood; therefore, it is not clear how to best provide a solution.
Increasing the restrictiveness of controls should only take place if it is determined by root cause analysis to be necessary to solve the problem.
Assessing the root cause is the first step in understanding whether control objectives and controls are inadequate or if some other cause must be addressed.
Repeating the control test does not provide a root cause of the compromise that occurred.
When a computer hacking attack has been crafted carefully, perpetrators may not leave a trace in transaction logs. If such an attack is anticipated, which of the following will be the MOST vital information source from a forensic perspective?
A.Reconciliation results against external statements
B.Reviews of approval steps executed by business managers
C.Interviews collected from operation staff
D.Volatile data remaining in the computer resources
D is the correct answer.
Justification
When hacking is carefully completed, it can be difficult to find any observable trace evidence of the attack. Hence, reconciliation against external statements or logs may not be effective, as there may be no traces of the attack.
Hacking most likely is conducted from the back end. Hence, business approval procedures may not provide vital information from a forensic perspective.
Interviews are subjective and, therefore, are weak evidence from a forensic perspective.
Attackers make sure to hide evidence of infiltration, such as erasing logs, editing control reports, etc. From a forensic perspective, it is equally important to capture volatile data, such as open ports, active processes, RAM data, etc., for further investigation.
Which of the following is the MOST important consideration when conducting a forensic investigation of a cybersecurity incident?
A.Identify the threat actors that caused the incident.
B.Collect and preserve evidence in its original form.
C.Analyze the evidence to understand the root cause.
D.Determine if law enforcement should be notified.
B is the correct answer.
Justification
Identifying the threat actors may be the outcome of the investigation, but it is not the main objective of forensics.
Forensic investigation focuses on collecting uncontaminated evidence that can be presented in its original form.
Determining the root cause of a cybersecurity incident is important; however, forensic investigation may come after determining the root cause.
Whether to notify law enforcement is senior management’s decision, depending on various factors identified during a forensic investigation.
During a security and privacy investigation, computer forensic examiners noticed that the multiple hard drives collected as evidence were mishandled prior to being presented as evidence. Which of the following is the MOST significant concern the forensic examiners should raise to law enforcement officials?
A.The chain of custody of the hard drives was broken.
B.The hard drives have been damaged.
C.Data have been erased from the hard drives.
D.Data have been altered on the hard drives.
A is the correct answer.
Justification
The chain of custody documents how evidence is collected, used and handled through the lifetime of a particular case. The chain of custody protects the integrity of the evidence and ensures its usability during legal proceedings. This would be the most significant concern in this scenario.
Damage to the hard drives would be a concern, but the most significant concern would be the loss of integrity of the evidence with the disruption of the chain of custody.
Erasure of data is a potential outcome if the chain of custody is broken.
Alteration of data is a potential outcome if the chain of custody is broken.
An employee has found a suspicious file on a server. The employee thinks the file is a virus and contacts the information security manager. What is the FIRST step to take?
A.Contain the file.
B.Delete the file.
C.Verify whether the file is malicious.
D.Report the suspicious file to management.
C is the correct answer.
Justification
Containment is the next step in the incident response cycle.
Deleting the file could be part of the containment process after it has been determined that it is safe to do so.
The first step in incident response is to verify whether the file is malicious.
Reporting to management would be a later step in the incident handling cycle and will vary based on policy, but it would not come before verification or general containment.
Which of the following situations would be of the MOST concern to a security manager?
A.Audit logs are not enabled on a production server.
B.The logon ID for a terminated systems analyst still exists on the system.
C.The help desk has received numerous reports of users receiving phishing emails.
D.A Trojan was found installed on a systems administrator’s laptop.
D is the correct answer.
Justification
Failure to enable audit logs on a production server, although important, does not pose as immediate or as critical a threat as a Trojan installed on a systems administrator’s laptop.
The logon ID for a terminated employee existing on the system poses a risk, but unless it is a disgruntled or malicious employee, it is not likely to be a critical threat.
Numerous reports of phishing emails are a risk. But in this situation, employees recognize the threat and are responding appropriately, so it is not a critical threat.
The discovery of a Trojan installed on a systems administrator’s laptop is a highly significant threat from an attacker and may mean that privileged user accounts and passwords have been compromised.
The PRIMARY reason to ensure chain of custody is to make sure that:
A.the ownership of the compromised system can be traced efficiently.
B.the asset custodian is updated in the enterprise’s asset inventory.
C.the person who compromised the system can be traced correctly.
D.the forensic evidence is valid and admissible in a court of law.
D is the correct answer.
Justification
An asset inventory can be used for tracing the asset, but it is not the primary reason for a chain of custody.
The chain of custody is not related to the asset custodian or to updating the asset inventory.
Forensic analysis—not the chain of custody—may reveal who compromised the system.
The chain of custody must be ensured to ensure that the forensic evidence is admissible in a court of law.
A database was compromised by guessing the password for a shared administrative account and confidential customer information was stolen. The information security manager was able to detect this breach by analyzing which of the following?
A.Invalid logon attempts
B.Write access violations
C.Concurrent logons
D.Firewall logs
A is the correct answer.
Justification
Because the password for the shared administrative account was obtained through guessing, it is probable that there were multiple unsuccessful logon attempts before the correct password was deduced. Searching the logs for invalid logon attempts could, therefore, lead to the discovery of this unauthorized activity.
Write access violations would not necessarily be observed because the information was merely copied and not altered.
Because the account is shared, reviewing the logs for concurrent logons would not reveal unauthorized activity; concurrent usage is common in this situation.
Firewall logs would not necessarily contain information regarding logon attempts.
Digital forensic analyses PRIMARILY focus on finding digital evidence:
A.based on threat intelligence reports.
B.after a security breach has occurred.
C.immediately after a security incident is reported.
D.when log files are inadequate for investigation.
B is the correct answer.
Justification
It will be a waste of resources if forensic analyses are based on threat intelligence reports.
Forensics can be performed for actual and suspected breaches based on digital evidence. They primarily focus on finding digital evidence after a breach has occurred.
Every security incident does not call for forensics. Initiating forensics would be more useful once a breach has occurred than after it is reported.
Forensics will not be useful without logs. If files are not available as desired, the evidence will be insufficient.
Which of the following would be MOST useful in developing a series of recovery time objectives?
A.Gap analysis
B.Regression analysis
C.Risk analysis
D.Business impact analysis
D is the correct answer.
Justification
A gap analysis is useful in assessing the differences between the current state and a future state.
Regression analysis is used to retest earlier program abends or logical errors that occurred during the initial testing phase.
Risk analysis is a process by which frequency and magnitude of IT risk scenarios are estimated.
Recovery time objectives (RTOs) are a primary deliverable of a business impact analysis. RTOs define the amount of time allowed for the recovery of a business function or resource after a disaster occurs.
Evidence from a compromised server must be acquired for a forensic investigation. What would be the BEST source?
A.A bit-level copy of the hard drive
B.The last verified backup stored offsite
C.Data from volatile memory
D.Backup servers
A is the correct answer.
Justification
The bit-level copy image file ensures forensic quality evidence that is admissible in a court of law.
The last verified backup will not copy everything and will not provide a forensic quality image for investigative work.
Dumping memory runs the risk that swap files or other disk activities will alter disk-based evidence. Standard advice from law enforcement is to pull the power plug on the compromised server to maximize preservation of evidence.
Backup servers may not have been compromised.
The computer incident response team was notified of an unsecured database hosted in a cloud environment exposing hundreds of records with sensitive information. After receiving notification of the incident, which of the following groups should be notified FIRST?
A.Information security steering committee
B.Customers who may be impacted
C.Regulatory agencies overseeing privacy
D.Data owners who may be impacted
D is the correct answer.
Justification
The information security steering committee will be notified later, as required by corporate policy and regulatory requirements.
Customers will be notified later, as required by corporate policy and regulatory requirements.
Regulatory agencies will be notified later, as required by corporate policy and regulatory requirements.
The data owners should be notified first, so they can take steps to determine the extent of the damage and coordinate a plan for corrective action with the computer incident response team.
Which of the following would be the BEST course of action when an alert indicates a large volume of outgoing traffic from a critical enterprise server?
A.Notify senior management about the incident.
B.Monitor traffic from the server.
C.Compare traffic log files from previous days.
D.Initiate the incident response process.
D is the correct answer.
Justification
Senior management would be notified after confirmation of the incident.
Monitoring traffic from the server could be initiated as part of the incident response process.
Comparing the log files could be initiated as part of the incident response process.
For a critical enterprise server, the incident management process should be started as soon as possible, which would be when an alert warns of unusual traffic.
Which of the following techniques would PRIMARILY include the methods and practices aimed to unveil the intention and extent of a cyberattack against an enterprise?
A.Vulnerability assessment
B.Red team exercise
C.Post-incident review
D.Forensic analysis
D is the correct answer.
Justification
A vulnerability assessment identifies system weaknesses, not the intention and extent of an incident.
A red team exercise is a replication of an attack in a controlled setting. However, it would not help to determine the impact of an attack in progress.
Post-incident review is the last step in an incident response and is more likely to reveal lessons learned than to unveil the intention and extent of a cyberattack.
Forensic analysis plays a vital role in investigation of a cyberattack. It includes analyzing the intrusion and summarizing the findings. Other options, such as vulnerability assessment, post-incident review and red team exercises, help in preventing a cyberattack but are not useful in the aftermath.
When collecting evidence for forensic analysis, it is MOST important to:
A.perform a vulnerability assessment on the applications affected.
B.use a digital rights management solution to access the data.
C.follow data preservation procedures.
D.perform a backup of the affected media to new media.
C is the correct answer.
Justification
Performing a vulnerability assessment takes place after the root cause of an incident has been determined to find new vulnerabilities, not to collect evidence.
A digital rights management solution is not intended to support forensic analysis.
The information security manager must follow procedures that preserve evidence, ensure a legally sufficient chain of custody and are appropriate to meet business objectives.
The suspect media should never be used as the source for analysis. The source or original media should be secured and only used to create a bit-for-bit image.
An information security manager has been notified that a server that is used within the entire enterprise has been breached. What is the FIRST step to take?
A.Inform management.
B.Notify users.
C.Isolate the server.
D.Verify the information.
D is the correct answer.
Justification
The information security manager should inform management but not before verifying the information.
Users should be notified after the information security manager has verified the information and informed management.
Isolating the server is not the first step that the information security manager should take.
Before any action is taken, the information security manager should verify that there has been a breach.
Which of the following techniques would BEST support forensic investigators trying to determine if files have been deleted from media?
A.Switching the computer to safe mode
B.Creating a bit-for-bit copy of the original media
C.Unplugging from the network
D.Rebooting the system
B is the correct answer.
Justification
Switching the computer to safe mode will result in a state change, which may result in the loss of evidence.
A bit-for-bit copy of the original media would best support forensic investigators in this situation. The investigators could compare the media in its current state against the bit-for-bit copy of the original media to search for discrepancies.
Unplugging the system will result in a state change, which may result in the loss of evidence.
Rebooting the system will result in a state change, which may result in the loss of evidence.
Which of the following is the BEST way to protect evidence integrity on a device to make it admissible in a court of law?
A.Create an image of the target device
B.Install a write blocker on the device
C.Scan for malicious software on the device
D.Delete unnecessary files to reduce volume size
B is the correct answer.
Justification
Creating a forensic image of the device should be done only after ensuring the integrity of the device.
A write blocker is used to maintain the integrity of the original storage media. It does so by preventing users from being able to write or modify information on the original storage media.
Scanning a device for malicious software could modify the device, compromising its integrity.
Modification of a device prior to creating a forensically sound image would compromise admissibility in a court of law.
A root kit was used to capture detailed accounts receivable information. What is the next step to ensure admissibility of evidence from a legal standpoint, once the incident has been identified and the server isolated?
A.Document how the attack occurred.
B.Notify law enforcement.
C.Take an image copy of the media.
D.Close the accounts receivable system.
C is the correct answer.
Justification
Documentation follows taking an image copy and may be supplementary.
Notifying law enforcement follows taking an image copy, preserving evidence and maintaining the chain of custody.
Taking an image copy of the media along with preserving any other evidence and maintaining the chain of custody is a recommended practice to ensure legal admissibility.
Closing the accounts receivable system is not a practical solution.
Which of the following choices is the MOST important incident response resource for timely identification of an information security incident?
A.A fully updated intrusion detection system
B.Multiple channels for distribution of information
C.A well-defined and structured communication plan
D.A regular schedule for review of network device logs
C is the correct answer.
Justification
Not all information security incidents originate from the network; an intrusion detection system will provide no detection value for a variety of incident types.
Diversifying the means of communication increases the odds that information reaches the people to whom it is sent, but it does nothing to ensure that the correct people receive the correct information at the correct time.
An incident is not identified within an enterprise until it is declared, which is a business responsibility beyond the scope of the technical staff. A well-defined and structured communication plan ensures that information flows from the technical staff to decision makers in a timely fashion, allowing incidents to be recognized, declared and appropriately addressed.
Reviewing logs provides an opportunity to identify irregular traffic patterns that may indicate an information security incident, but these logs provide insight into only a subset of attack vectors (e.g., external penetration would generally be covered, but insider threats may not). Additionally, if analysts who identify potentially revealing information do not have mechanisms in place to share those revelations with others in the enterprise, an effective response is less likely.
When electronically stored information is requested during a fraud investigation, which of the following should be the FIRST priority?
A.Assigning responsibility for acquiring the data
B.Locating the data and preserving the integrity of the data
C.Creating a forensically sound image
D.Issuing a litigation hold to all affected parties
B is the correct answer.
Justification
While assigning responsibility for acquiring the data is a step that should be taken, it is not the first step or the highest priority.
Locating the data and preserving data integrity are the first priorities.
Creating a forensically sound image may or may not be a necessary step, depending on the type of investigation, but it would never be the first priority.
Issuing a litigation hold to all affected parties might be a necessary step early in an investigation of certain types, but not the first priority.
Forensic analysis MUST be performed:
A.on the original media.
B.on an exact copy of the original media.
C.after a system reboot.
D.on an isolated system.
B is the correct answer.
Justification
Forensic analysis will contaminate the evidence if performed on the original media.
Forensic analysis must be performed only on a copy of the original media so that the evidence is uncontaminated as part of the investigation.
A system reboot will contaminate the evidence.
Forensic analysis can be performed on isolated and live systems.
An information security manager is in the process of investigating a network intrusion. One of the enterprise’s employees is a suspect. The manager has just obtained the suspect’s computer and hard drive. Which of the following is the BEST next step?
A.Create an image of the hard drive.
B.Encrypt the data on the hard drive.
C.Examine the original hard drive.
D.Create a logical copy of the hard drive.
A is the correct answer.
Justification
One of the first steps in an investigation is to create an image of the original hard drive. A physical copy will copy the data, block by block, including any hidden data blocks and hidden partitions that can be used to conceal evidence.
Encryption is not required.
Examining the hard drive is not good practice because it risks destroying or corrupting evidence.
A logical copy will only copy the files and folders and may not copy other necessary data to properly examine the hard drive for forensic evidence.
A customer credit card database has been reported as being breached by hackers. What is the FIRST step in dealing with this attack?
A.Confirm the incident.
B.Notify senior management.
C.Start containment.
D.Notify law enforcement.
A is the correct answer.
Justification
Validating that the condition is a true security incident is the necessary first step in determining the correct response.
Notifying senior management could be part of the incident response process that takes place after confirming an incident.
The containment stage would follow confirming the incident.
Notifying law enforcement by the appropriate party could be part of the incident response process that takes place after confirming an incident.
Which of the following capabilities is MOST important for an effective incident management process? The enterprise’s capability to:
A.detect the incident.
B.respond to the incident.
C.classify the incident.
D.record the incident.
A is the correct answer.
Justification
An enterprise must be able to detect the incident to respond, record and classify the incident. Even if response is not possible, detection allows stakeholders to be informed.
Responding to an incident is an essential part of incident management, but it must be detected first.
Incidents detected are typically classified based on impact.
Incidents cannot be recorded unless detected.
Which of the following would represent a violation of the chain of custody when a backup tape has been identified as evidence in a fraud investigation? The tape was:
A.removed into the custody of law enforcement investigators.
B.kept in the tape library pending further analysis.
C.sealed in a signed envelope and locked in a safe under dual control.
D.handed over to authorized independent investigators.
B is the correct answer.
Justification
Removing the tape into the custody of law enforcement provides clear indication of who was in custody of the tape at all times.
Because a number of individuals would have access to the tape library and could have accessed and tampered with the tape, the chain of custody could not be verified.
Sealing the tape and locking it in a safe provides clear indication of who was in custody of the tape at all times.
Handing the tape over to authorized independent investigators provides clear indication of who was in custody of the tape at all times.
When attempting data recovery of a specific file during forensic analysis, an investigator would be challenged the MOST when:
A.all files in the directory have been deleted.
B.the partition table on the disk has been deleted.
C.the file content has been overwritten.
D.high-level disk formatting has been performed.
C is the correct answer.
Justification
Deleted files that have not been physically overwritten can generally be retrieved using commonly available forensic tools.
Partition tables can generally be retrieved using commonly available forensic tools.
When the actual file content on the disk is overwritten, it generally cannot be recovered without significant resources and highly specialized tools; frequently, it cannot be recovered at all.
Drives that have been high-level formatted can generally be retrieved using commonly available forensic tools.
If a forensics copy of a hard drive is needed, which of the following would be the MOST defensible from a legal standpoint?
A.A compressed copy of all contents of the hard drive
B.A copy that includes all files and directories
C.A bit-for-bit copy of all data
D.An encrypted copy of all contents of the hard drive
C is the correct answer.
Justification
Whether a copy is compressed is irrelevant, and a straight copy operation will not include everything on the hard disk that is not identified by the operating system as a standard file.
A copy of all files and directories will not be an image of the hard disk and will fail to copy a variety of data, including data between the end of a file and the end of the disk sector (“slack space”) and deleted files that have not been overwritten.
There is no alternative to making a bit-for-bit copy. For legally sufficient evidence, only a bit copy will result in a true image of the hard drive.
Whether the data are encrypted is not relevant, and copying all files and folders will miss certain data such as data between the end of a file and the end of the disk sector (slack space).
What is the PRIMARY focus if an enterprise considers taking legal action on a security incident?
A.Obtaining evidence as soon as possible
B.Preserving the integrity of the evidence
C.Disconnecting all IT equipment involved
D.Reconstructing the sequence of events
B is the correct answer.
Justification
Obtaining evidence as soon as possible is part of the investigative procedure but is not as important as preserving the integrity of the evidence.
The integrity of evidence should be kept, following the appropriate forensic techniques to obtain the evidence and a chain of custody procedure to maintain the evidence (in order to be accepted in a court of law).
Disconnecting involved IT equipment is part of the investigative procedure but is not as important as preserving the integrity of the evidence.
Reconstructing the sequence of events is part of the investigative procedure but is not as important as preserving the integrity of the evidence.
What action should an incident response team take if the investigation of an incident response event cannot be completed in the time allocated?
A.Continue to work the current action.
B.Escalate to the next level for resolution.
C.Skip to the next action in the plan.
D.Declare a disaster.
B is the correct answer.
Justification
Every unsuccessful action simply wastes time; escalate and move on.
Because the investigation process must have time constraints, if the initial team cannot find resolution in the plan time allotted, it should escalate the resolution to the next level and move on to system recovery.
The activity in an incident response event should not stop until the root cause has been determined, but other teams may need to be called in to divide the work and complete the response plan.
A disaster should not be declared until the event root cause has been determined or senior management has determined that the resolution will take longer than acceptable for a system outage.
Forensic investigators can determine what is currently happening on a system by examining:
A.a bit-by-bit copy.
B.isolated systems.
C.volatile data.
D.the original media.
C is the correct answer.
Justification
A bit-by-bit copy of the data is an imaging activity, and imaging of the volatile memory is not possible using this method.
Both isolated and live systems can be forensically analyzed.
Volatile data are only present while the computer is running. During an investigation, volatile data can contain critical information that would be lost if not first collected. For example, many types of malware are designed to be present in the computer’s memory when it is operating and to disappear when the computer is turned off, leaving no trace.
Forensic analysis should never be done on original media and it will not provide information regarding volatile memory.
How does a security information and event management solution MOST likely detect the existence of an advanced persistent threat in its infrastructure?
A.Through analysis of the network traffic history
B.Through stateful inspection of firewall packets
C.Through identification of zero-day attacks
D.Through vulnerability assessments
A is the correct answer.
Justification
Advanced persistent threat (APT) refers to stealthy attacks not easily discovered without detailed analysis of behavior and traffic flows. Security information and event management (SIEM) solutions analyze network traffic over long periods of time to identify variances in behavior that may reveal APTs.
Stateful inspection is a function of some firewalls but is not part of a SIEM solution. A stateful inspection firewall keeps track of the destination Internet Protocol address of each packet that leaves the enterprise’s internal network. Whenever the response to a packet is received, its record is referenced to ascertain and ensure that the incoming message is in response to the request that went out from the enterprise.
Zero-day attacks are not APTs because they are unknown until they manifest for the first time and cannot be proactively detected by SIEM solutions.
A vulnerability assessment identifies areas that may potentially be exploited, but does not detect attempts at exploitation, so it is not related to APT.
Which of the following actions should be taken when an information security manager discovers that a hacker is footprinting the network perimeter?
A.Reboot the border router connected to the firewall.
B.Check intrusion detection system logs and monitor for any active attacks.
C.Update IDS software to the latest available version.
D.Enable server trace routing on the demilitarized zone segment.
B is the correct answer.
Justification
Rebooting the router would not be relevant.
Information security should check the intrusion detection system (IDS) logs and continue to monitor the situation. It would be inappropriate to take any action beyond that.
Updating the IDS could create a temporary exposure until the new version can be properly tuned.
Enabling server trace routing is of no use.
An information security manager becomes aware of an active security incident in which there is an exfiltration of organizational data by attackers. What is the FIRST course of action for the information security manger?
A.Inform the system owner of the situation.
B.Determine the cause of the incident.
C.Ensure that the affected system is turned off to preserve forensic evidence.
D.Block the traffic going to the attacker’s servers.
D is the correct answer.
Justification
The system owner would need to be informed, but that is not the first thing an information security manager should focus on.
The cause of the incident should be determined, if possible, but this would not be the first action to take.
Turning the system off will result in a state change, which may result in the loss of forensic evidence.
The priority in a data exfiltration situation would be to limit the damage by blocking outgoing traffic to the attacker’s servers.
Which of the following is the BEST control to limit the impact of a successful ransomware attack?
A.Incident response plan
B.User awareness
C.Air-gapped backups
D.Disaster recovery plan
C is the correct answer.
Justification
Incident response plans are reactive corrective controls and will not directly address the loss associated with a successful ransomware attack.
User awareness will help reduce the possibility of a successful attack but will not help limit damage from a successful attack.
Air-gapped backups are the best control to limit the damage because they are offline backups and would not be infected with the ransomware. These backups would allow the enterprise to recover data based on the recovery point objective.
Disaster recovery plans are corrective controls and will not directly address the loss associated with a successful ransomware attack.
What is the FIRST step an incident response team should take once an incident and its source have been detected?
A.Escalate the incident.
B.Damage assessment.
C.Determine the severity.
D.Contain the incident.
D is the correct answer.
Justification
Escalating the incident to senior management without first containing it will potentially increase the damage caused.
The damage can be assessed only after the incident is contained or else the damage will increase further.
The severity can be determined only after the incident is contained or else the damage will increase further.
Once an incident and its source have been detected, the incident must be contained to prevent further spreading or damage.
Which of the following is the MOST appropriate containment strategy to execute upon a successful security incident?
A. Conducting a detailed vulnerability assessment on affected areas
B. Isolating the systems or assets affected by the breach
C. Prioritizing the resources needed to appropriately respond to the incident
D. Completely removing the threats causing the incident from the systems
B is the correct answer.
Justification
Conducting a detailed vulnerability assessment on affected areas is an eradication phase activity and may be too time consuming.
Containment includes all the activities, tasks, and steps taken in the attempt to limit or reduce the impact of an incident. Isolating the affected systems or assets is the first action to contain the incident and limit its impact, depending on the nature of the incident.
Incident handling resources are limited, and they must be used to the greatest benefit. This step is a detection and analysis activity, not a containment activity.
Complete removal of any threat that was introduced to the environment during the incident is an eradication activity.
Which of the following is the MOST important incident containment method consideration?
A.Preserving forensic evidence
B.Installing vulnerability assessment tools
C.Enabling computer logging mechanisms
D.Synchronizing system clocks on all systems
A is the correct answer.
Justification
Forensic evidence needs to be protected from damage or contamination. If the forensic evidence is lost or damaged after the incident is reported, then the downstream incident response will be inconclusive.
The installation of vulnerability assessment tools aids in prevention of incidents but not containment.
Enabling the computer logging mechanism after an incident will help in detecting future incidents, but not in containment efforts.
The synchronization of system clocks supports incident investigation but will not contain the incident.
Which of the following actions should be taken when an online trading company discovers a network attack in progress?
A.Shut off all network access points
B.Dump all event logs to removable media
C.Isolate the affected network segment
D.Enable trace logging on all events
C is the correct answer.
Justification
Shutting off all network access points would create a denial of service that could result in loss of revenue.
Dumping event logs, while useful, would not mitigate the immediate threat posed by the network attack.
Isolating the affected network segment will mitigate the immediate threat while allowing unaffected portions of the business to continue processing.
Enabling trace logging, while useful, would not mitigate the immediate threat posed by the network attack.
Which of the following should be the FIRST step an incident response team should take when ransomware is identified on a number of workstations?
A.Remove the affected systems from the network.
B.Notify the system owners.
C.Restore the affected workstations from backups.
D.Review event logs to identify other infected systems.
A is the correct answer.
Justification
Because ransomware spreads quickly and could damage more systems, the most effective response is to contain the incident by removing affected systems from the network. This option represents the containment phase, which is the first step after confirming the incident. The information security manager has a responsibility to protect the enterprise, so containment would be the priority in this situation.
The time taken to notify system owners would allow the ransomware infection to spread to other systems. Notification would occur after containing the incident.
Attempting to restore from to backups could allow the backups to be infected and would destroy evidence needed to investigate the incident.
The uncontained ransomware infection would spread to other systems as the logs were reviewed.
Which of the following activities is MOST likely to increase the difficulty of totally eradicating malicious code that is not immediately detected?
A.Applying patches
B.Changing access rules
C.Upgrading hardware
D.Backing up files
D is the correct answer.
Justification
Applying patches does not significantly increase the level of difficulty.
Changing access rules has no effect on eradication of malicious code.
Upgrading hardware does not significantly increase the level of difficulty.
If malicious code is not immediately detected, it will most likely be backed up as part of the normal tape backup process. When later discovered, the code may be eradicated from the device but still remain undetected on a backup tape. Any subsequent restores using that tape may reintroduce the malicious code.
An artificial intelligence (AI) company detects that a large language model (LLM) running in its infrastructure has been exploited by threat actors. The company’s incident response team is activated and is considering containment strategies. What would be the FIRST action to contain this incident?
A. Inform all stakeholders about the breach.
B. Shut down the AI model development system.
C. Update all affected systems with the latest security patches.
D. Isolate the affected system.
D is the correct answer.
Justification
Informing all partners about the breach is not the first step in containing the incident. This action is part of the communication plan that is executed after understanding the impact of the breach.
While shutting down the artificial intelligence (AI) model development system might seem like a good immediate reaction, it can disrupt business operations and might not be necessary if the breach is contained within a limited number of systems.
Updating all systems with the latest security patches is a part of vulnerability management and could prevent future incidents, but it might not be effective in containing the current incident.
Isolating the affected system and initiating a forensic analysis is the first step in containing the incident. This prevents the breach from spreading to other systems and allows the incident response team to begin the investigation.
A password hacking tool was used to capture detailed bank account information and personal identification numbers. Upon confirming the incident, the NEXT step is to:
A.notify law enforcement.
B.start containment.
C.make an image copy of the media.
D.isolate affected servers.
B is the correct answer.
Justification
Notifying law enforcement should be performed after the containment plan has been executed.
After an incident has been confirmed, containment is the first priority of incident response because it will generally mitigate further impact.
Making an image copy of the media should be performed after the containment plan has been executed.
Isolating affected servers is part of containment.
When a large enterprise discovers that it is the subject of a network probe, which of the following actions should be taken?
A.Reboot the router connecting the demilitarized zone (DMZ) to the firewall.
B.Power down all servers located on the DMZ segment.
C.Monitor the probe and isolate the affected segment.
D.Enable server trace logging on the affected segment.
C is the correct answer.
Justification
Rebooting the router is not warranted.
Powering down the demilitarized zone servers is not warranted.
In the case of a probe, the situation should be monitored and the affected network segment isolated.
Enabling server trace routing is not warranted.
Which of the following should be the FIRST action to take when a fire spreads throughout the building?
A.Check the facility access logs.
B.Call together the crisis management team.
C.Launch the disaster recovery plan.
D.Launch the business continuity plan.
A is the correct answer.
Justification
Safety of people always comes first; therefore, verifying access logs of personnel to the facility should be the first action in order to ensure that all staff can be accounted for.
Calling the crisis management team together should be done after the initial emergency response (i.e., evacuation of people).
Launching the disaster recovery plan is not the first action.
Launching the business continuity plan is not the first action.
An employee’s computer has been infected with a new virus. What should be the FIRST action?
A.Execute the virus scan.
B.Report the incident to senior management.
C.Format the hard disk.
D.Disconnect the computer from the network.
D is the correct answer.
Justification
The virus may start infecting other computers while the virus scan is running.
Only when the impact to the IT environment is significant should it be reported to senior management.
A case of virus infection does not warrant the action. Formatting the hard disk is the last resort.
The first action should be to contain the risk (i.e., by disconnecting the computer so that it will not infect other computers on the network).
What is the FIRST priority when responding to a major security incident?
A.Documentation
B.Monitoring
C.Restoration
D.Containment
D is the correct answer.
Justification
Documentation is important, but it should follow containment.
Monitoring is important and should be ongoing but does not limit the impact of the incident.
Restoration follows containment.
The first priority in responding to a security incident is to contain it to limit the impact.
An enterprise has verified that its customer information was recently exposed. Which of the following is the FIRST step a security manager should take in this situation?
A.Inform senior management.
B.Determine the extent of the compromise.
C.Report the incident to the authorities.
D.Communicate with the affected customers.
B is the correct answer.
Justification
Before reporting to senior management, the extent of the exposure needs to be assessed.
Before reporting to senior management, affected customers or the authorities, the extent of the exposure needs to be assessed.
Reporting the incident to authorities is a management decision and not up to the security manager.
Communication with affected customers is a management task and is not the responsibility of the security manager.
What task should be performed after a security incident has been verified?
A.Identify the incident.
B.Contain the incident.
C.Determine the root cause of the incident.
D.Perform a vulnerability assessment.
B is the correct answer.
Justification
Identifying the incident means verifying whether an incident has occurred and finding out more details about the incident.
After an incident has been confirmed (identified), the incident management team should limit further exposure.
Determining the root cause takes place after the incident has been contained.
Performing a vulnerability assessment takes place after the root cause of an incident has been determined to check if the vulnerability has been addressed.
A new email virus that uses an attachment disguised as a picture file is spreading rapidly over the Internet. Which of the following should be performed FIRST in response to this threat?
A.Quarantine all picture files stored on file servers.
B.Block all emails containing picture file attachments.
C.Quarantine all mail servers connected to the Internet.
D.Block incoming Internet mail but permit outgoing mail.
B is the correct answer.
Justification
There is no indication of infection and quarantining all picture files is unnecessary.
Until signature files can be updated, incoming email containing picture file attachments should be blocked.
Quarantine of all mail servers is unnecessary because only those emails containing attached picture files are in question.
Blocking all incoming mail is unnecessary as long as picture files are blocked.
Malware has spread through multiple departments in an enterprise after an employee installed software from a universal serial bus (USB) drive. Which of the following is the MOST crucial to successful containment of the incident?
A.Restoring servers
B.Protecting evidence
C.Training employees
D.Updating management
B is the correct answer.
Justification
Restoring servers is important; however, it is not related to containment and usually occurs after containment.
There is a delicate balance between protecting evidence from an incident and containing an incident to prevent further impact. If evidence is destroyed, it may be difficult to determine the root cause and prosecute the attacker.
Training employees is important; however, it is not related to containment and usually occurs as a protective measure.
Updating management is important; however, it is not related to containment.
When establishing effective incident escalation processes for the incident response team, it is PRIMARILY necessary to state how:
A.long a member should wait for a response and what to do if no response occurs.
B.critical the incident is and which business units are directly impacted.
C.the incident is communicated to senior managers and other affected stakeholders.
D.incident response team managers are informed quickly about high-risk incidents.
A is the correct answer.
Justification
When defining and establishing effective incident escalation processes, it is primarily relevant to state how long a team member should wait for an incident response and what to do if no response occurs. This is the necessary (initial) platform for all further steps of an effective escalation process.
It is relevant to know how critical an incident is and which business units are impacted, but when establishing escalation processes, it is much more relevant to state how long a person should wait for a response and what to do if no response occurs.
Communication to stakeholders is part of the incident response process, but it is more important to establish waiting times and alternative responses because time is of the essence.
It is relevant to inform incident response team managers quickly, but initially it is more relevant to state how long a person should wait for a response and what to do if no response occurs.
During which phase of the incident response life cycle would the incident response team MOST likely focus on removing malicious software from infected devices?
A. Recovery
B. Post-incident response
C. Eradication
D. Containment
C is the correct answer.
Justification
Recovery activities are performed after the successful eradication of an incident. Removal of the malicious software is eradicating the cause of the incident.
Post-incident activities improve the response by documenting the lesson learned. Removing malicious software should occur before this phase.
Malicious software should be removed at the eradication phase of incident response.
Containment activities stop the damage, but they do not remove the cause, such as malicious software.
What is the PRIMARY benefit of having an updated communication plan when an incident occurs?
A.It provides guidance on how and what to communicate to regulatory authorities.
B.It guides the staff on when to invoke the business continuity plan.
C.It enables the staff to know what should be communicated to stakeholders.
D.It provides the necessary templates for incident communication.
C is the correct answer.
Justification
Detailed guidance on communicating to regulatory authorities is just one of the many relevant types of information documented in the communication plan. If it is unclear who should communicate what to whom and how, the plan is inefficient.
Whether to invoke the enterprise’s business continuity plan (BCP) may or may not be documented in the communication plan.
One of the primary objectives of a communication plan is to inform staff members about their roles and responsibilities, including whom to contact and how to communicate with them during an incident. Keeping the communication plan updated will ensure that this information is current should an incident occur.
Templates for incident communication are just one of the many relevant pieces of information documented in the communication plan. However, they are not of use if it is unclear who should use the templates and when.
Which of the following is the MOST important consideration for an enterprise interacting with the media during a disaster?
A.Communicating specially drafted messages by an authorized person
B.Refusing to comment until recovery
C.Referring the media to the authorities
D.Reporting the losses and recovery strategy to the media
A is the correct answer.
Justification
Proper messages need to be sent quickly through a specific identified person so that there are no rumors or statements made that may damage reputation.
Refusing to comment until recovery is recommended until the message to be communicated is made clear and the spokesperson has spoken to the media.
Referring the media to the authorities is not recommended.
Reporting the losses and recovery strategy to the media is not recommended.
When a breach or exposure of personal data is confirmed and the extent of the exposure is being assessed, which of the following should be the FIRST notified regarding the incident?
A. Affected data subjects
B. Senior management
C. External legal authorities
D. IT security manager
B is the correct answer.
Justification
Before notifying affected data subjects, it is a best practice to consult senior management first to determine what information can and should be communicated to external parties.
Senior management is notified about the incidents affecting the organization’s business processes. Before reporting the incident to external parties, senior management needs to be consulted for approval of reporting content and time to report.
Before notifying privacy regulators and external parties, senior management and internal legal counsel should be consulted to determine the next steps.
The IT security manager may be notified later in the incident handling process depending on incident response activities.
Serious security incidents typically lead to renewed focus by management on information security that then usually fades over time. What opportunity should the information security manager seize to BEST use this renewed focus?
A.To improve the integration of business and information security processes
B.To increase information security budgets and staffing levels
C.To develop tighter controls and stronger compliance efforts
D.To acquire better supplemental technical security controls
A is the correct answer.
Justification
Close integration of information security governance with overall enterprise governance is likely to provide better long-term information security by institutionalizing activities and increasing visibility in all organizational activities.
Increased budgets and staff may improve information security but will not have the same beneficial impact as incorporating security into the strategic levels of the enterprise’s operations.
Control strength and compliance efforts must be balanced against business requirements, culture and other organizational factors and are best undertaken at the governance level.
While technical security controls may improve some aspects of security, they will not address management issues or provide the enduring organizational changes needed for improved maturity levels.
Which of the following choices is the BEST input for the definition of escalation guidelines?
A.Risk management issues
B.A risk and impact analysis
C.Assurance review reports
D.The effectiveness of resources
B is the correct answer.
Justification
Risk management deals primarily with controls and is not a viable basis for the definition of escalation guidelines.
A risk and impact analysis will be a basis for determining what authority levels are needed to respond to particular incidents.
Assurance review reports and results, such as the description of reporting effectiveness, are primarily suited for the monitoring of stakeholder communications.
The effectiveness of resources belongs to the description of reporting and communication and is not a viable basis for the definition of escalation guidelines.
Major security events with serious legal implications should be communicated to:
A.appropriate civil authorities when there has been a crime committed.
B.management after the incident has been verified and the severity determined.
C.all affected stakeholders, including legal and the insurance carrier.
D.only to human resources and the legal department for appropriate action.
B is the correct answer.
Justification
There are few, if any, circumstances in which the information security manager should contact external authorities directly.
Communication regarding security events, particularly ones that have legal implications, is a business decision that is the responsibility of management.
It is the decision of management to determine which stakeholders and external entities should be informed. This process should be detailed in the enterprise’s incident response communication plan.
Human resources and legal would not be the only departments to engage in communications in this situation.
When a significant security breach occurs, what should be reported FIRST to senior management?
A.A summary of the security logs that illustrates the sequence of events
B.An explanation of the incident and corrective action taken
C.An analysis of the impact of similar attacks at other enterprises
D.A business case for implementing stronger logical access controls
B is the correct answer.
Justification
A summary of security logs would be too technical to report to senior management.
When reporting an incident to senior management, the initial information to be communicated should include an explanation of what happened and how the breach was resolved.
An analysis of the impact of similar attacks would be desirable; however, it would be communicated later in the process.
A business case for improving controls may be appropriate after investigating the cause of the breach
In a large enterprise, effective management of security incidents will be MOST dependent on:
A.clear policies detailing incident severity levels.
B.broadly dispersed intrusion detection capabilities.
C.training employees to recognize security incidents.
D.effective communication and reporting processes.
D is the correct answer.
Justification
Understanding severity levels is important but, on its own, is not sufficient to ensure that the information security manager is able to manage the incident effectively.
Intrusion detection is a useful tool for detecting potential network security incidents, but without robust communication and reporting processes, it is less effective.
Conducting awareness training so individuals can recognize potential incidents is important, but it is not effective unless the information is communicated to the right people in a timely manner.
Timely communication and reporting are most likely to ensure that the information security manager receives the information necessary to effectively manage a security incident. Effective communication will also help ensure that the correct resources are engaged at the appropriate time.
Which of the following poses the GREATEST challenge to establishing effective security incident management processes?
A.Security technologies are not kept up to date.
B.Stakeholders are not defined within security policies.
C.Incidents are not controlled by process owners.
D.Escalation paths are insufficiently defined.
D is the correct answer.
Justification
Security technologies are not typically the cause of substantial challenges in building effective security processes.
Security policies rarely define all stakeholders and notification to stakeholders is typically outside the scope of initial incident management, making the definition of escalation paths a greater concern. Escalation processes are typically procedures.
Control of incidents by process owners is not a primary requirement of effective security incident management.
Inadequately defined escalation paths may result in lack of adequate authority, substantial delays, lack of notification of the appropriate individuals, and other significant negative impacts.
When the computer incident response team finds clear evidence that a hacker has penetrated the corporate network and modified customer information, an information security manager should FIRST notify:
A.the information security steering committee.
B.customers who may be impacted.
C.data owners who may be impacted.
D.regulatory agencies overseeing privacy.
C is the correct answer.
Justification
The information security steering committee will be notified later, as required by corporate policy requirements.
Customers will be notified later, as required by corporate policy and regulatory requirements.
The data owners should be notified first, so they can take steps to determine the extent of the damage and coordinate a plan for corrective action with the computer incident response team.
Regulatory agencies will be notified later, as required by corporate policy and regulatory requirements.
The PRIMARY purpose of creating a crisis communication plan related to handling major cybersecurity incidents is to:
A.provide details on when and how to contact stakeholders.
B.minimize the loss of information from a major cybersecurity incident.
C.outline details and procedures for communicating with the cyberinsurance provider.
D.address how and when to communicate with the media, including who is authorized to speak.
A is the correct answer.
Justification
Providing procedures on disseminating internal and external communications is the purpose of establishing a crisis communication plan.
While a crisis communication plan may reduce the overall impact of a cybersecurity incident, such as reputational damage, it does not minimize the loss of information or data from a major cybersecurity incident, which is the objective of incident response.
Details on how and when to contact cyberinsurance providers are typically included in a communication plan for all types of incidents.
Communication with the media is only one part of the crisis communication plan.
The factor that is MOST likely to result in identification of security incidents is:
A.effective communication and reporting processes.
B.clear policies detailing incident severity levels.
C.intrusion detection system capabilities.
D.security awareness training.
D is the correct answer.
Justification
Timely communication and reporting is only useful after identification of an incident has occurred.
Understanding how to establish severity levels is important, but it is not the essential element for ensuring that the information security manager is aware of anomalous events that might signal an incident.
Intrusion detection systems are useful for detecting IT-related incidents but are not useful for identifying other types of incidents such as social engineering or physical intrusion.
Ensuring that employees have the knowledge to recognize and report a suspected incident is most likely to result in identification of security incidents.
After a significant security breach has occurred, what is the MOST important item to report to the chief information officer?
A.A summary of the security logs that illustrates the sequence of events
B.An analysis of the impact of similar attacks at other enterprises
C.A business case for implementing stronger logical access controls
D.The impact of the incident and corrective actions taken
D is the correct answer.
Justification
A summary of security logs would be too technical to report to the chief information officer (CIO).
An analysis of the impact of similar attacks would be helpful but is not the most important item to report.
A business case for implementing stronger controls would be helpful to report to management, but it is not the most important item to report and would follow reporting impact and corrective actions.
The actual impact to the enterprise and corrective actions taken would be the most important item to share with the CIO.
Which of the following is the MOST important reason to develop a communication plan regarding security incidents as part of an incident management program?
A.To increase security awareness
B.To comply with regulatory requirements
C.To identify communication flows to stakeholders
D.To improve incident response
D is the correct answer.
Justification
Although a communication plan helps increase awareness, it is not the most important reason.
Meeting compliance requirements may be a requirement in some cases, but it is not the most important reason for communication regarding incidents.
Communication flows are part of the communication plan to improve the resolution of the incident.
The overall goal of the communication plan is to improve incident response. Effective communication helps stakeholders respond to the incident.
During the security review of organizational servers it was found that a file server containing confidential human resources (HR) data was accessible to all user IDs. What is the FIRST step the security manager should perform?
A.Copy sample files as evidence.
B.Remove access privileges to the folder containing the data.
C.Report this situation to the data owner.
D.Train the HR team on properly controlling file permissions.
C is the correct answer.
Justification
Copying sample files as evidence is not advisable because it breaches confidentiality requirements on the file.
Removing access privileges to the folder containing the data should be done by the data owner or by the security manager in consultation with the data owner—frequently the security manager would not have this right; regardless, this would be done only after formally reporting the incident.
The data owner should be notified prior to any action being taken.
Training the human resources team on properly controlling file permissions is the method to prevent such incidents in the future, but this should take place after the incident reporting and investigation activities are completed.
Which of the following is the BEST reason to maintain ongoing communication during incident response?
A. It guarantees that all employees understand how to respond to an incident.
B. It ensures that the organization will be able to prevent a security breach or incident.
C. It ensures that all relevant parties are informed and can take appropriate action.
D. It saves the organization time and costs when responding to the incident.
C is the correct answer.
Justification
While employee understanding of how to respond to an incident is important, it is not the primary reason for communication in incident response.
Effective communication alone does not prevent, or ensure the prevention of, a security breach or incident.
Communication in incident response ensures that all relevant parties are informed and can take appropriate action.
Communication is just one component of a comprehensive incident response plan and may not save time or reduce costs during the incident response.
Which of the following incident response processes should be completed before systems can be recovered following a phishing attack?
A.Develop a timeline for recovery.
B.Document lessons learned from the breach.
C.Develop a plan to prevent future breaches.
D.Remove malware from systems.
D is the correct answer.
Justification
The breach must be contained prior to developing plans for recovery.
Before lessons learned can be documented, the threat must be eradicated.
Developing a plan to prevent future breaches is part of the lessons learned phase. The threat must be first eradicated to prevent further losses to the enterprise.
Malware must be removed before systems can be recovered. If not, malware could be reintroduced to the environment during the recovery phase.
The acceptability of a partial system recovery after a security incident is MOST likely to be based on the:
A.ability to resume normal operations.
B.maximum tolerable outage.
C.service delivery objective.
D.acceptable interruption window.
C is the correct answer.
Justification
The ability to resume normal operations is situational and would not be a standard for acceptability.
While the maximum tolerable outage, in addition to many other factors, is part of a service delivery objective (SDO), it does not by itself address the acceptability of a specific level of operational recovery.
A prior determination of acceptable levels of operation in the event of an outage is the SDO. The SDO may be set at operation levels that are less than normal but sufficient to sustain essential business functions.
While the acceptable interruption window, in addition to many other factors, is part of an SDO, it does not by itself address the acceptability of a specific level of operational recovery.
The recovery time objective is reached at which of the following milestones?
A.Disaster declaration
B.Recovery of the backups
C.Restoration of the system
D.Return to business as usual processing
C is the correct answer.
Justification
Disaster declaration occurs at the beginning of this period.
Recovery of the backups occurs shortly after the beginning of this period.
The recovery time objective (RTO) is based on the amount of time required to restore a system.
Return to business as usual processing occurs significantly later than the RTO. RTO is an objective, and full restoration may or may not coincide with the RTO. RTO can be the minimum acceptable operational level, far short of normal operations.
Which of the following activities is MOST likely to be performed during the eradication of a confirmed and successful information security incident?
A.Identify and prevent the incident from spreading across the network.
B.Remove and clean up all incident components from affected systems.
C.Recover and return the impacted systems to normal operations.
D.Categorize and assign a priority to the incident.
B is the correct answer.
Justification
Containment includes finding what the incident has impacted and limiting the extent that it spreads across the network by isolating impacted systems or shutting them down after necessary evidence is collected.
Eradicating the incident requires determining and eliminating the root cause so that it cannot cause further damage. Actions required to completely remove the incident threat from the network or systems include cleaning infected files, changing rules and configurations, and making backups in order to mitigate incident impacts.
Restoring the system is simply returning the system to normal operations. This is accomplished after eradication and during recovery phase of incident.
Identifying, confirming, categorizing and assigning a priority to an incident are performed during the detection phase of incident response.
The PRIMARY selection criterion for an offsite media storage facility is:
A.that the primary and offsite facilities are not subject to the same environmental disasters.
B.that the offsite storage facility is not in close proximity to the primary site.
C.the overall storage and maintenance costs of the offsite facility.
D.the availability of cost-effective media transportation services.
A is the correct answer.
Justification
It is important to prevent a disaster that could affect both sites, and ensuring that the primary and offsite facilities are not subject to the same environmental disasters addresses this concern.
The distance between sites may be important in cases of widespread disasters; however, this is covered by ensuring that the same environmental disasters do not affect the primary and offsite facilities.
The costs are a secondary criterion for selection.
A cost-effective media transport service may be a consideration but is not the main concern.
Which of the following BEST contributes to the design of data restoration plans?
A.Transaction turnaround time
B.Mean time between failures
C.Service delivery objectives
D.The duration of the data restoration job
C is the correct answer.
Justification
Transaction turnaround time may be a concern when the effectiveness of an application system is evaluated. Normally it is not the main agenda in the restoration stage.
Mean time between failures (MTBF) is the predicted elapsed time between inherent failures of a system during operation. MTBF is not a factor in determining restoration of data.
The service delivery objective (SDO) relates directly to the business needs; SDO is the level of services to be reached during the alternate process mode until the normal situation is restored.
The duration of a data restoration job may be of secondary importance. The strategic importance of data should be considered first.
The recovery point objective requires which of the following?
A.Disaster declaration
B.Before-image restoration
C.System restoration
D.After-image processing
B is the correct answer.
Justification
Disaster declaration is independent of this processing checkpoint.
The recovery point objective is the point in the processing flow at which system recovery should occur. This is the predetermined state of the application processing and data used to restore the system and to continue the processing flow.
Restoration of the system can occur at a later date.
After-image processing can occur at a later date.
The main mail server of a financial institution has been compromised at the superuser level; the only way to ensure the system is secure would be to:
A.change the root password of the system.
B.implement multifactor authentication.
C.rebuild the system from the original installation medium.
D.disconnect the mail server from the network.
C is the correct answer.
Justification
Changing the root password of the system does not ensure the integrity of the mail server.
Implementing multifactor authentication is an after measure and does not clear existing security threats.
Rebuilding the system from the original installation medium is the only way to ensure all security vulnerabilities and potential stealth malicious programs have been destroyed.
Disconnecting the mail server from the network is an initial step but does not guarantee security.
An artificial intelligence (AI) company specializing in natural language processing has just eradicated a malware infection from its main server. The company’s incident response team is now planning the recovery phase. Which of the following actions is MOST crucial for preventing similar incidents in the future?
A. Upgrade the training model to the latest version.
B. Increase iterations of data sampling.
C. Update all systems with the latest security patches.
D. Validate all input prompts prior to processing.
C is the correct answer.
Justification
Upgrading the training model to the latest version might improve the performance of the artificial intelligence (AI) system, but it does not directly prevent malware infections. The security of the system is not typically dependent on the version of the AI model used.
Increasing iterations of data sampling might improve the accuracy of the AI model, but it does not directly prevent malware infections. The security of the system is not typically dependent on the data sampling methods used in AI model training.
Updating all systems with the latest security patches is a part of the recovery process and could prevent future similar incidents. It ensures that the systems are protected against known vulnerabilities that could be exploited.
While input validation is an important part of secure coding practices to prevent certain types of attacks, such as injection attacks, the most crucial action after a malware infection is to update all systems with the latest security patches to protect against known vulnerabilities.
After measures have been applied to contain the escalation of a security incident, the NEXT step should be:
A.updating the risk register.
B.conducting a post-incident review.
C.updating the incident response plan.
D.restoring systems to their operational state.
D is the correct answer.
Justification
Updating the risk register is important but should be done after restoring systems to their operational state.
Conducting a post-incident review should be done after restoring the systems to their operational state.
Updating the incident response plan should be done after restoring systems to their operational state.
Once the containment has been completed, system operations must be restored to ensure business continuity.
Which of the following should be performed FIRST in the aftermath of a denial-of-service (DoS) attack?
A.Restore servers from backup media stored offsite.
B.Conduct an assessment to determine system status.
C.Perform an impact analysis of the outage.
D.Isolate the screened subnet.
B is the correct answer.
Justification
Servers may not have been affected, so it is not necessary at this point to rebuild any servers.
An assessment should be conducted to determine the overall system status and whether any permanent damage occurred.
An impact analysis of the outage will not provide any immediate benefit.
Isolating the screened subnet is after the fact and will not provide any benefit.
What action should the security manager take FIRST when incident reports from different organizational units are inconsistent and highly inaccurate?
A.Ensure that a clear organizational incident definition and severity hierarchy exists.
B.Initiate a company-wide incident identification training and awareness program.
C.Escalate the issue to the security steering committee for appropriate action.
D.Involve human resources in implementing a reporting enforcement program.
A is the correct answer.
Justification
The first action is to validate that clear incident definition and severity criteria are established and communicated throughout the enterprise.
A training program will not be effective until clear incident identification and severity criteria have been established.
The steering committee may become involved after incident criteria have been clearly established and communicated.
Enforcement activities will not be effective unless incident criteria have been clearly established and communicated.
A web server in a financial institution that has been compromised using a super-user account has been isolated, and proper forensic processes have been followed. What is the most appropriate next step?
A.Rebuild the server from the last verified backup.
B.Place the web server in quarantine.
C.Shut down the server in an organized manner.
D.Rebuild the server with original media and relevant patches.
D is the correct answer.
Justification
Rebuilding from the last known verified backup poses the risk that the verified backup may have been compromised by the super-user at a different time.
Placing the web server in quarantine should have already occurred in the forensic process.
The step of shutting down in an organized manner is out of sequence and no longer a problem. The forensic process is already finished and evidence has already been acquired.
The original media should be used because one could never find and eliminate all the changes a super-user may have made or the timelines in which these changes were made.
The typical requirement for security incidents to be resolved quickly and service restored is:
A.always the best option for an enterprise.
B.often in conflict with effective problem management.
C.the basis for enterprise risk management activities.
D.a component of forensics training.
B is the correct answer.
Justification
Quickly restoring service will not always be the best option, such as in cases of criminal activity, which require preservation of evidence precluding use of the systems involved.
Problem management is focused on investigating and uncovering the root cause of incidents, which will often be a problem when restoring service compromises the evidence needed.
Managing risk goes beyond the quick restoration of services (e.g., if doing so would increase some other risk disproportionately).
Forensics is concerned with legally adequate collection and preservation of evidence, not with service continuity.
An enterprise is primarily concerned with the financial impact of downtime associated with an information security incident. Which of the following items would be the MOST appropriate compensating control to have in place?
A.An offsite media storage contract
B.Business interruption insurance
C.A real-time failover architecture
D.A disaster recovery plan
B is the correct answer.
Justification
Storing backup media offsite improves the odds that they will be available to use for recovery activities, but it also increases the amount of time needed to complete the recovery. In a situation in which the primary concern is the financial impact of downtime, an offsite media storage contract is not helpful.
Business interruption insurance does not help restore operations, but it does compensate a business for the financial impact associated with interruption. In this scenario, the financial impact of downtime is the primary concern; therefore, insurance is an appropriate compensating control.
An architecture that provides for real-time failover prevents financial impact from downtime, but it does so at significant cost. An enterprise that is primarily concerned with financial impact (rather than operational efficiency or other concerns) is unlikely to accept this higher cost because the other benefits associated with real-time failover are not seen as justified.
A disaster recovery plan aids an enterprise in performing the steps needed to return to normal operations after a disaster, but even a clearly drafted and tested plan does not compensate for the financial impact of downtime, and many information security incidents have impacts that do not meet the disaster threshold.
After a service interruption of a critical system, the incident response team finds that it needs to activate the warm recovery site. Discovering that throughput is only half of the primary site, the team nevertheless notifies management that it has restored the critical system. This is MOST likely because it has achieved the:
A.recovery point objective.
B.recovery time objective.
C.service delivery objective.
D.maximum tolerable outage.
C is the correct answer.
Justification
The recovery point objective (RPO) is determined based on the acceptable data loss in case of a disruption of operations. It indicates the earliest point in time that is acceptable to recover the data. The RPO effectively quantifies the permissible amount of data loss in case of interruption.
The recovery time objective is the target time to restore services to either the service delivery objective (SDO) or normal operations.
The SDO is the agreed-on level of service required to resume acceptable operations.
Maximum tolerable outage is the maximum length of time that the enterprise can operate at the recovery site.
Proximity factors must be considered when:
A.conducting a business impact analysis.
B.conducting a table-top business continuity test.
C.developing disaster recovery metrics.
D.selecting an alternate recovery site.
D is the correct answer.
Justification
Proximity to hazards is not a primary consideration in conducting a business impact analysis.
Proximity to hazards is not a primary consideration in conducting a table-top business continuity test.
Proximity to hazards is not a primary consideration in developing disaster recovery metrics.
Proximity to the primary site, the scope of potential hazards, and their possible impact on the recovery site are important considerations when selecting the location of a recovery site.
A root cause analysis for a new incident is FIRST performed during which phase of incident response?
A. Incident eradication
B. Incident containment
C. Incident recovery
D. Post-incident review
A is the correct answer.
Justification
Eradication includes the activities, tasks, and steps taken to correct the root cause of the incident. Incident response teams first conduct root cause analysis at this stage to determine the underlying causes of an incident and find a solution in order to prevent recurrence of the problem.
The main objective of the incident containment phase is to prevent and stop an incident spreading to other enterprise resources and assets as fast as possible. Therefore, it is too early to conduct a root cause analysis at this stage.
The incident recovery phase needs a remediated root cause in order to effectively perform recovery activities and restore the enterprise to normal operational activities.
The post-incident phase is part of incident management, not part of incident response. If the root-cause analysis performed in the containment phase was not successful, a second root-cause analysis can be performed in the post-incident assessment.
Which of the following activities MOST increases the probability that an enterprise will be able to resume operations after a disaster?
A.Restoration testing
B.Establishment of a warm site
C.Daily data backups
D.An incident response plan
A is the correct answer.
Justification
A demonstrated ability to restore data is the best way to ensure that data can be restored after a disaster, and data drive the majority of business processes. If an enterprise is unable to restore its data, it will be of little value to have other considerations in place. On the other hand, if data can be restored, the enterprise can likely find workarounds for other challenges that it may face.
Having a warm site speeds up the process of disaster recovery by providing the facilities and equipment where data can be restored and operations reconstituted. However, if the data themselves cannot be restored, having the facilities and equipment will not be nearly as useful.
Performing data backups on a daily or other periodic basis is a good practice, but it is not until recovery is attempted that an enterprise gains knowledge of whether these backups are effective. Should the enterprise diligently perform backups for months or years and then discover that it cannot restore the data, all the time and expense of the backup program will have been wasted.
Recovery procedures are documented in the disaster recovery plan rather than in the incident response plan.
Which of the following would a security manager establish to determine the target for restoration of normal processing?
A.Recovery time objective
B.Maximum tolerable outage
C.Recovery point objectives
D.Service delivery objectives
A is the correct answer.
Justification
Recovery time objective is the length of time from the moment of an interruption until the time the process must be functioning at a service level sufficient to limit financial and operational impacts to an acceptable level.
Maximum tolerable outage is the maximum time for which an enterprise can operate in alternate mode.
Recovery point objectives relate to the age of the data required for recovery.
Service delivery objectives are the levels of service required for acceptable operations.
The PRIMARY objective of performing the root-cause analysis of an incident is to:
A.document the incident in detail so it can be reported to relevant stakeholders.
B.make sure that the auditors are satisfied that the incident management controls are effective.
C.understand how to prevent the incident from reoccurring or to reduce the impact of similar incidents.
D.share the findings and learnings from the incident with senior management.
C is the correct answer.
Justification
The incident should be documented in detail in the incident log. A communication plan would dictate how details of the incident should be reported to stakeholders.
The primary objective of a root-cause analysis is not to pass an audit or to satisfy the auditors.
Root-cause analysis is performed to understand how to prevent the incident from reoccurring in the future or to reduce the impact of similar incidents if they happen in the future.
The primary objective of root-cause analysis is to understand more about the incident and how to avoid it in the future or reduce its impact. Informing senior management is only a byproduct of the analysis.
Which of the following BEST helps an information security manager provide an indication of whether a similar incident will reoccur?
A.A vulnerability assessment
B.Automated log monitoring
C.A root cause analysis
D.Forensic investigations
C is the correct answer.
Justification
A vulnerability assessment will identify the existing vulnerabilities in the system. However, reoccurrence of threats depends upon the controls and corrective actions that are implemented.
Automated log monitoring helps in the early detection of an incident but may not indicate the possibility of reoccurrence.
A root cause analysis determines the vulnerabilities exploited by threats and how they were exploited. Based on the analysis, the information security manager may suggest corrective actions to prevent future exploitation.
Forensic investigations could help determine the method of attack and the actor that launched the attack but may not provide an indication on reoccurrence.
The post-incident review of a security incident revealed that there was a process that was not monitored. As a result, monitoring functionality has been implemented. Which of the following may BEST be expected from this remediation?
A.Reduction in total incident duration
B.Increase in risk tolerance
C.Improvement in identification
D.Facilitation of escalation
C is the correct answer.
Justification
Monitoring may cause incident duration to become longer, as each event is investigated and possibly escalated for further remediation.
Risk tolerance is a determination made by senior management based on the results of a risk analysis and the amount of risk senior management believes the enterprise can manage effectively. Risk tolerance will not change from implementation of a monitoring process.
When a key process is not monitored, that lack of monitoring may lead to a security vulnerability or threat going undiscovered, resulting in a security incident. Once consistent monitoring is implemented, identification of vulnerabilities and threats will improve.
Monitoring itself is simply an identification and reporting tool; it has little bearing on how information is escalated to other staff members for investigation and resolution.
Which of the following choices is the PRIMARY purpose of maintaining an information security incident history?
A.To provide evidence for forensic analysis
B.To record progress and document exceptions
C.To determine a severity classification of incidents
D.To track errors to assign accountability
B is the correct answer.
Justification
Recording incidents helps in providing evidence of forensic analysis in case legal action is required. Providing evidence for forensic analysis may or may not be the primary requirement for all incidents.
Recording information security incidents helps in maintaining a record of events from detection of the incident to closure of the incident. This helps the incident management teams to ensure that all related aspects required for resolving, closing and preventing reocurrence of incidents are covered.
Recording incidents helps in identifying all required parameters for determining a severity classification; however, incident management is focused on containment, prevention and recovery.
Tracking errors to assign accountability is not the primary purpose for recording details of information security incidents. Process improvement is the primary purpose.
A virus incident has been reported and eradicated. The information security manager is MOST interested in knowing the:
A.intrusion detection system configuration.
B.type and payload of the virus.
C.virus entry path.
D.origin of the virus.
C is the correct answer.
Justification
Because the virus was reported and eradicated, there is no reason to suspect that the intrusion detection system is misconfigured. The first step is to determine the entry path so the investigation can identify which controls failed.
Information on type and payload of the virus is a secondary consideration because eradication has been concluded.
To prevent the recurrence, the security manager must find out how the virus entered the system and implement required controls.
The origin of the virus is not immediately actionable information and is not necessarily relevant.
Which of the following is the PRIMARY focus of incident response following a data breach?
A.Root cause analysis
B.Restore systems to production
C.Identify changes to security
D.Prevent reoccurrence of the breach
A is the correct answer.
Justification
Following the eradication phase, the enterprise needs to understand the cause of the incident to ensure that it implements appropriate additional controls, fixes control lapses and is able to start the recovery process.
Before systems are restored, the enterprise must first identify the cause.
Before changes can be implemented, the cause of the incident must be understood.
Preventing reoccurrence is an important part of the lessons learned phase. Analysis is needed before the enterprise can protect against future breaches.
What would be the BEST course of action to identify the source of a malware infection to reduce the risk of reoccurrence?
A.Review penetration testing reports
B.Conduct a root cause analysis
C.Analyze vulnerability scans
D.Evaluate compliance scans
B is the correct answer.
Justification
A penetration test is a simulated cyberattack against one’s computer system to check for exploitable vulnerabilities. Penetration testing reports vary by type and scope and may not contain information about malware or overall weaknesses in the enterprise’s network and systems.
A root cause analysis exposes the main causes of problems to identify appropriate solutions. Conducting a root cause analysis is the best course of action because it is an extensive investigation that considers the results of all the other choices.
Vulnerability scans offer information pertaining to the target’s known vulnerabilities. Although they could be useful in determining the source, they themselves are not the best answer.
A compliance check scans the target and assesses compliance based on the standards selected for the scan.
Which of the following provides the BEST confirmation that the business continuity plan/disaster recovery plan (BCP/DRP) objectives have been achieved?
A.The recovery time objective was not exceeded during testing.
B.Objective testing of the BCP/DRP has been carried out consistently.
C.The recovery point objective was proved inadequate by DRP testing.
D.Information assets have been valued and assigned to owners according to the BCP/DRP.
A is the correct answer.
Justification
Consistent achievement of recovery time objectives during testing provides the most objective evidence that business continuity plan/disaster recovery plan (BCP/DRP) objectives have been achieved.
Objective testing of the BCP/DRP will not serve as a basis for evaluating the alignment of the risk management process in business continuity/disaster recovery planning.
If the recovery point objective is inadequate, the objectives of BCPs have not been achieved.
Mere valuation and assignment of information assets to owners (according to the BCP/DRP) will not serve as a basis for evaluating the alignment of the risk management process in business continuity/disaster recovery planning.
Why should an incident management team conduct a post-incident review?
A.To identify relevant electronic evidence
B.To identify lessons learned
C.To identify the hacker
D.To identify affected areas
B is the correct answer.
Justification
Evaluating the relevance of evidence is not the primary purpose for a post-incident review because it should have been established during the response to the incident.
Post-incident reviews are beneficial in determining ways to improve the response process through lessons learned from the attack.
Identifying who launched the attack is not the primary purpose for a post-incident review because it should have been established during the response to the incident.
Identifying what areas were affected is not the primary purpose for a post-incident review because it should have been established during the response to the incident.
Which of the following BEST helps an enterprise continuously improve the security incident response process?
A. Conducting post-incident reviews
B. Documenting incident response procedures
C. Conducting incident response plan walk-throughs
D. Providing incident response team training
A is the correct answer.
Justification
Post-incident reviews conducted after each incident help determine the gaps and opportunities in the actual incident response processes. Post-incident review results will enable the enterprise to discuss the lessons learned from the incident and introduce possible improvements with the current incident response process.
Documented incident response procedures help conduct effective incident response activities, but if the team does not follow the documentation or there are issues regarding incident response resource capabilities, documentation alone does not help improve the incident response process.
Incident response plan walkthroughs are a type of paper test conducted by team members for the incident response plan procedures. A walkthrough is not very reliable, and it is not sufficient to find gaps and shortcomings in the incident response process.
Training helps team members with how to properly conduct the incident response activities but will not improve the process itself.
The PRIMARY purpose of involving third-party teams for carrying out post-incident reviews of information security incidents is to:
A.enable independent and objective review of the root cause of the incidents.
B.obtain support for enhancing the expertise of the third-party teams.
C.identify lessons learned for further improving the information security management process.
D.obtain better buy-in for the information security program.
A is the correct answer.
Justification
It is always desirable to avoid the conflict of interest involved in having the information security team carry out the post-incident review.
Obtaining support for enhancing the expertise of the third-party teams is one of the advantages but is not the primary driver.
Identifying lessons learned for further improving the information security management process is the general purpose of carrying out the post-incident review.
Obtaining better buy-in for the information security program is a secondary reason for involving third-party teams.
An enterprise has just experienced a major incident that has caused interruption to critical business processes. What is the PRIMARY reason to conduct a post-incident review?
A.To identify responsible parties and apply disciplinary action or reward as appropriate
B.To document the event and ensure that all steps taken and issues encountered are listed
C.To ensure that all damage that resulted from the crisis is being fixed and that systems are stable
D.To determine the root cause of the crisis and take steps to prevent reoccurrence
D is the correct answer.
Justification
The post-incident review should address any training needs and personnel that played a role in the event, but this is not the primary objective.
Documenting the event should have been conducted during the incident. The post-incident review will rely on the documentation to learn what happened and the chronology of events.
It is important to ensure that all damage has been fixed, but this should have been done before the post-incident review.
During the incident, efforts may have been focused on getting the business back up and running; the post-incident review should ensure that the root cause of the incident is identified and addressed.
The PRIMARY goal of a post-incident review is to:
A.gather evidence for subsequent legal action.
B.identify individuals who failed to take appropriate action.
C.prepare a report on the incident for management.
D.derive ways to improve the response process.
D is the correct answer.
Justification
Forensic evidence should have been gathered earlier in the process.
A post-incident review should not focus on finding and punishing individuals who did not take appropriate action or on learning the identity of the attacker.
Although a post-incident review can be used to prepare a report/presentation to management, it is not the primary goal.
The primary goal of a post-incident review is to derive ways in which the incident response process can be improved.
What is the PRIMARY objective of a post-incident review in incident response?
A.To adjust budget provisioning
B.To preserve forensic data
C.To improve the response process
D.To ensure the incident is fully documented
C is the correct answer.
Justification
Adjusting budget provisioning is secondary.
Forensic data should already be preserved and is not part of post-incident review.
The primary objective is to find any weakness in the current process and improve it.
The incident should have been fully documented prior to conducting the post-incident review; ensuring its completeness is secondary.
The PRIMARY reason for senior management review of information security incidents is to:
A.ensure adequate corrective actions were implemented.
B.demonstrate management commitment to the information security process.
C.evaluate the incident response process for deficiencies.
D.evaluate the ability of the security team.
A is the correct answer.
Justification
Although some corrective actions were taken by the security team and the incident response team, management review will establish whether any other corrective actions needed to be taken. Sometimes this will result in improvements to information security policies.
Management will not review information security incidents merely to demonstrate management commitment.
Management will not perform a review for fault findings such as examining the incident response process for deficiencies.
Management will not perform a review for fault findings such as evaluating the ability of the security team.
What is the MOST important objective of a post-incident review?
A.Capture lessons learned to improve the process.
B.Develop a process for continuous improvement.
C.Develop a business case for the security program budget.
D.Identify new incident management tools.
A is the correct answer.
Justification
The main purpose of a post-incident review is to identify areas of improvement in the process.
Developing a process for continuous improvement is not the objective of a post-incident review.
Developing a business case for the security program budget may be supported by the analysis of the incident but is not the key objective.
Identifying new incident management tools may come from the analysis of the incident but is not the key objective.
If an enterprise has a requirement for continuous operations, which of the following approaches would be BEST to test response and recovery?
A.A full interruption test
B.A simulation test
C.A parallel test
D.A structured walk-through
C is the correct answer.
Justification
A full interruption test, in which operations are shut down at the primary site and shifted to the recovery site, is the most stringent form of response and recovery testing, but it is potentially disruptive. Even though the enterprise in this scenario might accept the cost of such a test, the need for continuous operations makes it inappropriate.
Simulation testing addresses people and processes but does not address startup recovery-site operations; therefore, it provides a lower level of assurance than a parallel test would provide.
The enterprise in this scenario requires continuous operations. A parallel test, in which operations are brought online at the recovery site alongside primary-site operations, is the closest an enterprise can come to full testing without risking a business impact; therefore, it is the best fit for the requirement.
Structured walk-throughs are pen-and-paper activities. A walk-through may help identify constraints, deficiencies and opportunities for enhancement, but the level of assurance it provides is low relative to a parallel test.
Which of the following areas discussed in a post-incident review would MOST likely trigger an improvement in the organizational learning culture?
A. Identification of additional tools needed to detect and mitigate future incidents
B. Evaluation regarding the extent to which documented procedures were followed
C. How well staff and management performed in responding to the incident
D. Determination of which corrective actions can prevent similar incidents
C is the correct answer.
Justification
Purchasing additional tools does not have an impact on organizational culture as this is the responsibility of the incident response team.
Following documented procedures is the responsibility of the incident response team and does not improve the overall organizational learning culture.
The performance of staff and management during an incident is proportional to their level of awareness of the incident response process. Deficiencies in these areas could reveal opportunities for improvement and additional training.
Proposed corrective actions encompass the entire incident response process; hence, these actions may or may not impact the organizational learning culture.
