CHAPTER 8

Incident Management Operations

This domain includes questions from the following topics:
• The steps involved in security incident response
• Incident response tools and techniques
• Attorney-client privilege
• Crisis management and communications
• Post-incident review and reporting

This chapter covers Certified Information Security Manager (CISM) Domain

4, “Incident Management,” part B, “Incident Management Operations.” The
entire Incident Management domain represents 30 percent of the CISM
examination.

One Supporting Task in the CISM job practice aligns with the Incident
Management / Incident Management Operations domain:

37. Conduct post-incident reviews to facilitate continuous improvement,

including root-cause analysis, lessons learned, corrective actions, and
reassessment of risk.

Security incidents cannot be prevented—at least not all of them. In this

asymmetric cyber war, attackers have innovation, time, and the element of
surprise on their side. It is imperative that every organization using
technology needs to develop formal security incident response plans, train
their personnel, and continually practice with walk-throughs, drills, and
simulations.

Q QUESTIONS
1. Why would an organization consider developing alerts on its security
information and event management system, as opposed to using its
existing daily log review procedure?
A. More accurate and timely awareness of security issues requiring
action
B. Compliance with PCI DSS 3.2 requirement 10.6
C. Reduce costs associated with time-consuming log review
D. Free up staff to perform more challenging and interesting tasks
2. While responding to a security incident, the person acting as the
incident commander is unable to notify a particular executive in an
escalation procedure. What should the incident responder do next?
A. Notify regulators that the organization is experiencing a cyber
incident and requires assistance.
B. Notify law enforcement that the organization is experiencing a
cyber incident and requires assistance.
C. Order incident responders to suspend their activities until the
executive has been contacted.
D. Notify the next highest executive in the escalation chain.
3. Why would PCI DSS requirements require organizations to put
emergency contact information for payment card brands in their
incident response plans?
A. An emergency is a poor time to start looking for emergency
contact information for outside organizations.
B. Card brands must be notified of an incident involving card data as
soon as possible.
C. Requirement 12.10 in PCI DSS requires it.
D. It reminds organizations to notify the card brands in the event of a
breach.
4. The purpose of a post-incident review of a security incident includes all
of the following except which one?
A. Determine the root cause of the incident.
 B. Identify improvements in incident response procedures.
C. Determine the motivation of the attacker.
D. Identify improvements in cybersecurity defenses.
5. Which term in security incident response represents the final activity
that takes place during a response to an incident?
A. Post-incident review
B. Remediation
C. Closure
D. Containment
6. Which of the following criteria would likely not be used to classify a
security incident?
A. Data volume
B. System location
C. Data sensitivity
D. Operational criticality
7. An incident response team is responding to a situation in which an
intruder has successfully logged on to a system using stolen
nonprivileged credentials. Which steps are most effective at containing
this incident?
A. Lock the compromised user account.
B. Reset the password of the compromised user account.
C. Kill all processes associated with the compromised user account.
D. Block the intruder’s originating IP address and lock the
compromised user account.
8. In what circumstances should executive management be notified of a
security incident?
A. In no cases, other than monthly and quarterly metrics
B. In all cases
C. When its impact is material
D. When regulators are required to be notified
 9. Which of the following individuals should approve the release of
notifications regarding cybersecurity incidents to affected parties who
are private citizens?
A. General counsel
B. Chief marketing officer
C. Chief information security officer
D. Security incident response commander
10. What is the purpose of a write blocker in the context of security
incident response?
A. Protects forensic evidence against tampering
B. Creates forensically identical copies of hard drives
C. Assures that hard drives can be examined without being altered
D. Assures that affected systems cannot be altered
11. An employee in an organization is suspected of storing illegal content
on the workstation assigned to him. Human resources asked the
security manager to log on to the workstation and examine its logs. The
security manager has identified evidence in the workstation’s logs that
supports the allegation. Which statement best describes this
investigation?
A. The investigation was performed properly, and the organization
can proceed with disciplinary action.
B. Because forensic tools were not used to preserve the state of the
workstation, the veracity of the evidence identified in the
investigation can be called into question.
C. The investigation should enter a second phase in which forensic
tools are used to specifically identify the disallowed behavior.
D. The investigation cannot continue because the initial examination
of the workstation was performed without a signed warrant.
12. Under the state of California’s data security and privacy law of 2002
(SB 1386), under what circumstances is an organization not required to
notify affected parties of a breach of personally identifiable
information (PII)?
 A. When the organization cannot identify affected parties
B. When the PII is encrypted at rest
C. When the number of compromised records is less than 20,000
D. When the number of total records is less than 20,000
13. Which of the following is not considered a part of a security incident
post-incident review?
A. Motivations of perpetrators
B. Effectiveness of response procedures
C. Accuracy of response procedures
D. Improvements in preventive controls
14. Which of the following is usually not included in a cost analysis of a
security incident during the post-incident review?
A. Penalties and legal fees
B. Notification to external parties
C. Assistance by external parties
D. Loss of market share
15. Which of the following describes the best practice for capturing login
log data?
A. Capture all unsuccessful login attempts. Capture user ID,
password, IP address, and location.
B. Capture all successful and unsuccessful login attempts. Capture
user ID, password, IP address, and location.
C. Capture all successful and unsuccessful login attempts. Capture
user ID, IP address, and location.
D. Capture all unsuccessful login attempts. Capture user ID, IP
address, and location.
16. What is the best method for utilizing forensic investigation assistance
in organizations too small to hire individuals with forensic
investigation skills?
A. Utilize interns from a nearby college or university that teaches
cyber-forensic investigations.
 B. Request assistance from law enforcement at the city,
state/province, or national level.
C. Obtain an incident response retainer from a cybersecurity firm that
specializes in security incident response services.
D. Use one of several cloud-based, automated forensic examination
services.
17. An organization that obtains a SIEM is hoping to improve which
security incident response–related metric?
A. Remediation time
B. Dwell time
C. Postmortem quality
D. Damage assessment
18. An organization has developed DLP solutions on its endpoints and file
servers, but an adversary was able to exfiltrate data nonetheless. What
solution should the organization next consider to detect unauthorized
data exfiltration?
A. Network anomaly detection
B. Advanced antimalware
C. Endpoint firewalls
D. DDoS mitigation
19. At what point in the security incident response process should the
general counsel be notified?
A. During quarterly reporting of key risk indicators
B. During the post-incident review
C. When the incident is initially declared
D. When notification of regulators or external parties is likely
20. What should a security incident response plan utilize to ensure
effective notifications of internal and external parties?
A. Business continuity plan
B. Crisis response plan
C. Contact list
 D. Disaster recovery plan
21. An organization recently suffered a security attack in which the
attacker gained a foothold in the organization through the exploit of a
weakness in an Internet-facing system. The root-cause analysis in the
post-incident review indicated that the cause of the incident was the
lack of a particular security patch on the system that was initially
attacked. What can the security leader conclude from the root cause?
A. System engineers need additional training in patch management.
B. The firewall failed to block the attack.
C. The vulnerability management process needs to be improved.
D. The root-cause analysis was not sufficient to identify the real root
cause.
22. What compensating control is most appropriate for the absence of
encryption of backup media?
A. Store backup media in locked containers in a keycard-access
controlled room.
B. Back up sensitive data to encrypted zip archives, which are backed
up to tape.
C. Obfuscate the names of files backed up to backup media.
D. Do not permit backup media to be removed from the processing
center.
23. The practice of proactively searching for signs of unauthorized
intrusions is known as what?
A. Geolocation
B. Password cracking
C. Threat hunting
D. Log correlation
24. A SaaS-based e-mail services provider backs up its customer data
through the replication of data from one storage system in the main
processing center to another storage system in an alternative processing
center. This data assurance architecture leaves the organization
vulnerable to what type of attack?
 A. LUN spoofing
B. Supply chain
C. Smurf
D. Ransomware
25. An organization’s SIEM has generated alerts suggesting a user’s
workstation is being attacked by ransomware. What steps should be
taken in an effort to contain the incident?
A. Disconnect the user’s workstation from the network.
B. Disconnect the user’s workstation from the network and lock the
user’s account.
C. Lock the user’s account and scan the network for other infected
systems.
D. Pay the ransom and obtain decryption keys to recover lost data.
26. What is the likely role of the chief marketing officer in an information
security incident?
A. Keep records of security incident proceedings.
B. Update marketing collateral to state that security is important to the
organization.
C. Notify regulators of the incident.
D. Develop press releases that describe the incident and the
organization’s response to it.
27. An organization has determined that there are no resources who have
experience with malware reverse engineering and analysis. What is the
organization’s best short-term remedy for this deficiency?
A. Employ log correlation and analysis on the SIEM.
B. Obtain tools that perform malware reverse engineering.
C. Obtain an incident response retainer from a qualified security
consulting firm.
D. Train incident responders in malware analysis.
28. Why should forensic analysis tools not be placed on incident
responders’ daily-use workstations?
 A. Workstations would become too costly and be a theft risk.
B. Incident responders will not be able to complete daily tasks during
incident response.
C. Daily-use workstations do not have sufficient RAM capacity.
D. Daily-use activities may influence forensic tools and cast doubt on
their integrity.
29. A post-incident-review process addresses all of the following except
which one?
A. Root-cause analysis
B. Selection of future incident response personnel
C. Potential improvements in preventive and detective controls
D. Potential improvements in security incident response procedures
30. Which of the following techniques best describes the impact of a
security incident on management?
A. Hard costs and soft costs
B. Hard costs, soft costs, and qualitative impacts
C. The total of all outsourced professional services
D. The total of all hardware replacement for affected systems
31. For what reason(s) would an IT service desk incident ticketing system
be inappropriate for the storage of information related to security
incidents?
A. Automatic escalations would be timed incorrectly.
B. A service desk incident ticketing system is designed for a different
purpose.
C. Sensitive information about an incident would be accessible to too
few personnel.
D. Sensitive information about an incident would be accessible to too
many personnel.
32. At what point during security incident response should law
enforcement be contacted?
A. When root-cause analysis during post-incident review identifies
 that a law has been broken
B. When directed by the incident response plan and approved by the
incident response commander
C. When directed by the incident response plan and approved by the
general counsel
D. When the incident response commander determines a law has been
broken
33. SOC operators and the incident response team have confirmed that an
intruder has successfully compromised a web server and is logged in to
it. The IR team wants to take steps to contain the incident but doesn’t
want to disrupt operations unnecessarily. What approach should the IR
team take?
A. Test the proposed changes in a test environment first.
B. Take containment steps as quickly as possible.
C. Lock the user account and reboot the server.
D. Turn on firewall debugging.
34. All of the following are metrics for security incident response, except
which one?
A. Dwell time
B. Lag time
C. Containment time
D. Time to notify affected parties
35. An organization recently suffered a significant security incident. The
organization was surprised by the incident and believed that this kind
of event would not occur. To avoid a similar event in the future, what
should the organization do next?
A. Commission an enterprise-wide risk assessment.
B. Commission a controls maturity assessment.
C. Commission an internal and external penetration test.
D. Commission a controls gap assessment.
36. Security analysts in the SOC have noticed that the organization’s
 firewall is being scanned by a port scanner in a hostile country.
Security analysts have notified the security manager. How should the
security manager respond to this matter?
A. Declare a high-severity security event.
B. Declare a low-severity security event.
C. Take no action.
D. Direct the SOC to block the scan’s originating IP address.
37. Security analysts in the SOC have noticed a large volume of phishing
e-mails that originate from a single “from” address. Security analysts
have notified the security manager. How should the security manager
respond to the matter?
A. Declare a high-level security incident.
B. Block all incoming e-mail from that address at the e-mail server or
spam filter.
C. Issue an advisory to all employees to be on the lookout for
suspicious messages and to disregard them.
D. Block the originating IP address.
38. Why is hardware asset inventory critical for the success of security
incident response?
A. Critical processes such as software asset and software licensing
depend upon accurate asset inventory.
B. Incident responders can better understand what assets may be
involved in an incident.
C. Vulnerability scans need to cover all hardware assets so that all
assets are scanned.
D. Penetration tests need to cover all hardware assets so that all assets
are scanned.
39. Of what possible value is system classification in the context of
security incident response?
A. System classification informs incident responders on what
information is stored in systems.
B. System classification helps incident responders better understand
 the relative importance of systems.
C. System classification helps incident responders understand
dependencies between systems.
D. System classification informs incident responders of the location
of systems.
40. The corporate controller in an organization notified the CISO that an
employee recently received an e-mail from the CEO with instructions
to wire a large amount of money to an offshore bank account that is
part of secret merger negotiations. The corporate controller has
determined that this was a fraudulent transaction. How should the
CISO respond?
A. Declare a security incident.
B. Call the bank.
C. Notify law enforcement.
D. Conduct a reverse wire transfer.
41. A SOC analyst is using a system to perform queries to determine
whether any specific types of attacks or intrusions have occurred in the
organization. What is the SOC analyst doing?
A. Performing a penetration test
B. Conducting threat hunting
C. Performing a vulnerability scan
D. Conducting threat modeling
42. A SOC analyst is using a tool to identify potential weaknesses in one or
more information systems. What is the SOC analyst doing?
A. Performing a penetration test
B. Conducting threat hunting
C. Performing a vulnerability scan
D. Conducting threat modeling
43. Why is it important to take long-term steps to reduce dwell time?
A. Forensic imaging will take less time to acquire.
B. Vulnerability scans will take less time to complete.
 C. Organizations will be aware of security vulnerabilities earlier.
D. Organizations will be aware of security incidents earlier.
44. A chain of custody should be established for all of the following
situations, except:
A. Computer intrusion by an external adversary
B. Employee terminated for lack of computer skills
C. Data theft perpetrated by an insider
D. Employee terminated for security policy violation
45. How are the crisis management and security incident response
functions related?
A. Security incident response leverages crisis management’s
escalation model.
B. Crisis management and security incident response are not related.
C. Crisis management directs security incident response proceedings.
D. Crisis management leverages security incident response’s
escalation model.

QUICK ANSWER KEY

1. A
2. D
3. B
4. C
5. A
6. B
7. D
8. D
9. A
10. C
11. B
12. B
13. A
14. D
15. C
16. C
17. B
18. A
19. D
20. B
21. D
22. A
23. C
24. D
25. B
26. D
27. C
28. D
29. B
30. B
31. D
32. C
33. A
34. B
35. A
36. D
37. B
38. B
39. B
40. A
41. B
42. C
43. D
44. B
45. A

A ANSWERS
1. Why would an organization consider developing alerts on its security
information and event management system, as opposed to using its
existing daily log review procedure?
A. More accurate and timely awareness of security issues requiring
action
B. Compliance with PCI DSS 3.2 requirement 10.6
C. Reduce costs associated with time-consuming log review
D. Free up staff to perform more challenging and interesting tasks
A. The best reason for developing alerts in a security information
and event management system (SIEM) is the near-instantaneous
alerting of personnel of a security matter requiring investigation
and potential remediation. Daily log review is time-consuming and
infeasible in all but the smallest organizations due to the high
volume of log data that is produced in information systems.
B, C, and D are incorrect. B is incorrect because PCI DSS
requirement 10.6 does not specifically require that an organization
employ a SIEM with alerts, although it is suggested as a more
effective approach for daily log review. C is incorrect because cost
reduction is not the best reason to generate security alerts. D is
 incorrect because providing staff with professional challenges is
not the best answer to this question.
2. While responding to a security incident, the person acting as the
incident commander is unable to notify a particular executive in an
escalation procedure. What should the incident responder do next?
A. Notify regulators that the organization is experiencing a cyber
incident and requires assistance.
B. Notify law enforcement that the organization is experiencing a
cyber incident and requires assistance.
C. Order incident responders to suspend their activities until the
executive has been contacted.
D. Notify the next highest executive in the escalation chain.
D. The best choice among those available here is for the incident
commander to notify the next highest executive in the escalation
chain. This is not an ideal situation, but security incident response
does not always proceed as expected.
A, B, and C are incorrect. A and B are incorrect because
notification of outside authorities is not an appropriate alternative
action to the inability to contact an executive. C is incorrect
because the suspension of security incident response activities may
permit attackers to continue inflicting damage to the organization.
3. Why would PCI DSS requirements require organizations to put
emergency contact information for payment card brands in their
incident response plans?
A. An emergency is a poor time to start looking for emergency
contact information for outside organizations.
B. Card brands must be notified of an incident involving card data as
soon as possible.
C. Requirement 12.10 in PCI DSS requires it.
D. It reminds organizations to notify the card brands in the event of a
breach.
B. PCI DSS requirement 12.10 implies that card brands’ emergency
contact information should be included in organizations’ security
 incident response plans because the card brands should be notified
as soon as possible after knowledge of a breach of credit card data.
A, C, and D are incorrect. A is incorrect because, although it is true
that an emergency is a poor time to start looking around for
emergency contact information, this is not the best answer. C is
incorrect because this answer is circular; there is a reason for the
requirement, and answer B offers the reason. D is incorrect
because the presence of contact information does not serve as a
reminder; instead, security incident response procedures should
explicitly specify when, and under what conditions, an
organization is required to notify one or more of the card brands.
4. The purpose of a post-incident review of a security incident includes all
of the following except which one?
A. Determine the root cause of the incident.
B. Identify improvements in incident response procedures.
C. Determine the motivation of the attacker.
D. Identify improvements in cybersecurity defenses.
C. Determination of the motivation of an attacker is not one of the
objectives of a review of the response to a security incident.
A, B, and D are incorrect. A is incorrect because the determination
of the root cause of a security incident is one of the main reasons
for conducting a post-incident review. B is incorrect because the
identification of improvements in incident response procedures is
one of the reasons for conducting a post-incident review. D is
incorrect because the identification of improvements in defenses is
one of the objectives of a post-incident review.
5. Which term in security incident response represents the final activity
that takes place during a response to an incident?
A. Post-incident review
B. Remediation
C. Closure
D. Containment
A. A post-incident review, sometimes casually called a
 postmortem, is a review of the entire incident intended to help
reviewers understand the incident’s cause, the role of preventive
and detective capabilities, and the effectiveness of incident
responders. The purpose of the after-action review is to identify
improvements in defenses and response procedures to reduce the
probability and/or impact of a similar future incident and to ensure
a more effective response should one occur.
B, C, and D are incorrect. These are all steps that take place after
containment, mitigation, and recovery. Typically, the steps in
security incident response are planning, detection, initiation,
analysis, containment, eradication, recovery, remediation, closure,
and post-incident review. Evidence is retained after an incident for
an unspecific period of time.
6. Which of the following criteria would likely not be used to classify a
security incident?
A. Data volume
B. System location
C. Data sensitivity
D. Operational criticality
B. The location of a system is the least likely factor to be used to
classify a security incident, unless the incident constitutes a breach
of privacy of individuals, in which case there may be applicable
laws such as GDPR or CCPA. Further, one influence of the
location of a system might be the selection of personnel to respond
to an incident, but this is not a part of incident classification.
A, C, and D are incorrect. A is incorrect because the volume of
data involved in an incident is likely to influence the incident’s
classification, particularly if the data is sensitive. C is incorrect
because the sensitivity of data involved in an incident is highly
likely to influence the incident’s classification because of the
possibility that regulators, law enforcement, or affected parties
may need to be notified. D is incorrect because the operational
criticality of a system is likely to influence the incident’s
classification.
7. An incident response team is responding to a situation in which an
intruder has successfully logged on to a system using stolen
nonprivileged credentials. Which steps are most effective at containing
this incident?
A. Lock the compromised user account.
B. Reset the password of the compromised user account.
C. Kill all processes associated with the compromised user account.
D. Block the intruder’s originating IP address and lock the
compromised user account.
D. Locking the compromised user account and blocking access
from the intruder’s originating IP address are the best available
steps here. Other steps should also be taken, including killing all
processes running under the compromised user account.
A, B, and C are incorrect. A is incorrect because locking the
compromised user account may be ineffective, as the intruder may
have compromised other accounts. B is incorrect because resetting
the password will not stop the attack in progress unless the intruder
needs to log in again. C is incorrect because killing processes alone
will not necessarily prevent the intruder from logging in again.
None of these choices are completely effective.
8. In what circumstances should executive management be notified of a
security incident?
A. In no cases, other than monthly and quarterly metrics
B. In all cases
C. When its impact is material
D. When regulators are required to be notified
D. Executive management should be notified of a cyber incident
when it has been determined that regulators must be notified. This
is not the only circumstance in which executives should be
notified; others include incidents that disrupt business operations
as well as large-scale incidents involving the compromise of
sensitive information.
A, B, and C are incorrect. A is incorrect because executives should
be notified of serious incidents. B is incorrect because it is not
 necessary to notify executives of small-scale incidents. C is
incorrect because it is not as good an answer as D.
9. Which of the following individuals should approve the release of
notifications regarding cybersecurity incidents to affected parties who
are private citizens?
A. General counsel
B. Chief marketing officer
C. Chief information security officer
D. Security incident response commander
A. The general counsel—the top-ranking attorney—should be the
person who approves the release of notifications to affected parties.
An attorney has expertise in the interpretation of applicable laws,
and it is these laws that stipulate notifications to outside parties.
B, C, and D are incorrect. B is incorrect because the marketing
executive generally does not have expertise in the law to decide
when to perform a required notification. The marketing executive
may, however, assist in the process of notifying those parties. C is
incorrect because the CISO is generally not the leading expert in
the law to determine if and when notification of outside parties is
required. Further, because the CISO is generally responsible for
security incident response, the CISO, the general counsel, and
others function as an executive team responsible for high-level
decisions, which is preferable to a single individual who makes all
of the strategic decisions. D is incorrect because the incident
commander is a lower-level person who is responsible for response
logistics, but not for making high-level decisions such as
notification of external affected parties.
10. What is the purpose of a write blocker in the context of security
incident response?
A. Protects forensic evidence against tampering
B. Creates forensically identical copies of hard drives
C. Assures that hard drives can be examined without being altered
D. Assures that affected systems cannot be altered
 C. A write blocker is used to connect a hard drive that is the subject
of forensic analysis to a computer. The write blocker permits the
computer to read from the subject hard drive but does not permit
any updates to the hard drive. This serves as an important control
in a forensic investigation by preserving the integrity of subject
hard drives.
A, B, and D are incorrect. A is incorrect because a write blocker
does not protect forensic evidence against tampering. B is incorrect
because a write blocker is not used to create copies of hard drives;
however, a write blocker is a supporting tool that ensures that
copies of subject hard drives can be made without affecting the
subject hard drives. D is incorrect because write blockers are not
used to protect systems from being altered.
11. An employee in an organization is suspected of storing illegal content
on the workstation assigned to him. Human resources asked the
security manager to log on to the workstation and examine its logs. The
security manager has identified evidence in the workstation’s logs that
supports the allegation. Which statement best describes this
investigation?
A. The investigation was performed properly, and the organization
can proceed with disciplinary action.
B. Because forensic tools were not used to preserve the state of the
workstation, the veracity of the evidence identified in the
investigation can be called into question.
C. The investigation should enter a second phase in which forensic
tools are used to specifically identify the disallowed behavior.
D. The investigation cannot continue because the initial examination
of the workstation was performed without a signed warrant.
B. Because the security manager logged in to the subject’s
workstation without first taking steps to preserve a forensic copy of
the workstation, the security manager could be accused of planting
evidence on the workstation, and this allegation would be difficult
to refute. The security manager should have first taken a forensic
image of the workstation’s hard drive before examining its
contents.
 A, C, and D are incorrect. A is incorrect because the investigation
was not performed properly: the security manager could potentially
have tampered with the workstation’s hard drive and even planted
evidence. If the disciplined employee brings a legal challenge to
the organization, the challenge would cast doubt on the security
manager’s actions. C is incorrect because the damage has already
been done: the security manager’s initial examination of the hard
drive has tainted the integrity of the hard drive; this cannot be
undone. D is incorrect because a warrant is not required for an
organization to conduct an examination and analyze its own
property—in this case, a workstation.
12. Under the state of California’s data security and privacy law of 2002
(SB 1386), under what circumstances is an organization not required to
notify affected parties of a breach of personally identifiable
information (PII)?
A. When the organization cannot identify affected parties
B. When the PII is encrypted at rest
C. When the number of compromised records is less than 20,000
D. When the number of total records is less than 20,000
B. Under the 2002 state of California’s security and privacy law
(SB 1386), organizations are not required to notify affected parties
of the breach of security if the information was encrypted at rest.
A, C, and D are incorrect. A is incorrect because even when an
organization is unable to identify all of the specific parties affected
by a security breach, the organization is required to publicly
announce the breach. C is incorrect because there is no lower limit
on the number of compromised records. D is incorrect because
there is no limit on the size of a compromised database.
13. Which of the following is not considered a part of a security incident
post-incident review?
A. Motivations of perpetrators
B. Effectiveness of response procedures
C. Accuracy of response procedures
D. Improvements in preventive controls
 A. The motivation of the perpetrators is generally not a part of a
security incident post-incident review. Of the available answers,
this is the least likely to be a part of a post-incident review.
B, C, and D are incorrect. B is incorrect because the effectiveness
of response procedures is a key focus area in a post-incident
review; it helps ensure that similar incidents in the future can be
handled more effectively. C is incorrect because the accuracy of
response procedures is considered; it helps ensure that
organizations will handle similar future incidents more accurately.
D is incorrect because a review of preventive (also detective and
administrative) controls is a key focus of a post-incident review; it
helps ensure that opportunities for improvements in relevant
controls can help reduce the probability and/or impact of future
events.
14. Which of the following is usually not included in a cost analysis of a
security incident during the post-incident review?
A. Penalties and legal fees
B. Notification to external parties
C. Assistance by external parties
D. Loss of market share
D. Market share is generally not included in a cost analysis of a
security event, because changes in market share may be more long-
term and potentially unknown for several months, quarters, or
more. Changes in market share are also more difficult to attribute,
as many other forces contribute to these changes.
A, B, and C are incorrect. A is incorrect because penalties (from
regulators, customers, and others) and legal fees are generally
included in the overall cost of a security breach. B is incorrect as
the cost of notification to affected parties is generally included
among the costs of a security breach. C is incorrect because
professional services fees and other costs from outside parties in
support of the investigation, forensics, analysis, and other activities
are generally included.
15. Which of the following describes the best practice for capturing login
 log data?
A. Capture all unsuccessful login attempts. Capture user ID,
password, IP address, and location.
B. Capture all successful and unsuccessful login attempts. Capture
user ID, password, IP address, and location.
C. Capture all successful and unsuccessful login attempts. Capture
user ID, IP address, and location.
D. Capture all unsuccessful login attempts. Capture user ID, IP
address, and location.
C. The best practice for logging authentication events is the capture
all successful and unsuccessful login attempts and to capture the
user ID, IP address, and location (if known).
A, B, and D are incorrect. A is incorrect because successful login
attempts should also be captured, and passwords should not be
captured. B is incorrect because passwords should not be captured.
D is incorrect because successful logins should also be captured.
16. What is the best method for utilizing forensic investigation assistance
in organizations too small to hire individuals with forensic
investigation skills?
A. Utilize interns from a nearby college or university that teaches
cyber-forensic investigations.
B. Request assistance from law enforcement at the city,
state/province, or national level.
C. Obtain an incident response retainer from a cybersecurity firm that
specializes in security incident response services.
D. Use one of several cloud-based, automated forensic examination
services.
C. Most organizations cannot justify hiring a cybersecurity
specialist who has computer and network forensic investigations
skills and experience. Such organizations should obtain an incident
response retainer from a qualified cybersecurity professional
services firm that will render assistance if and when a security
incident occurs.
A, B, and D are incorrect. A is incorrect because interns will
 generally not have sufficient experience to be able to complete a
forensic investigation and create a chain of custody. B is incorrect
because law enforcement agencies, most of which have insufficient
computer forensics resources, are generally not available to
perform computer or network forensic analysis unless it is
associated with a major crime. D is incorrect because there are no
cloud-based forensic examination services (at the time of this
writing).
17. An organization that obtains a SIEM is hoping to improve which
security incident response–related metric?
A. Remediation time
B. Dwell time
C. Postmortem quality
D. Damage assessment
B. Dwell time, or the time that elapses from the start of an incident
to the realization that the incident has occurred (or is still
occurring), can be improved through the use of a security
information and event management system (SIEM). Collecting log
data from systems in the organization, a SIEM correlates log
events and produces alerts when actionable incidents are
discovered.
A, C, and D are incorrect. A is incorrect because a SIEM will have
a negligible impact on dwell time. C is incorrect because a SIEM
will have little or no impact on postmortem quality. D is incorrect
because a SIEM will have only minor impact on damage
assessment.
18. An organization has developed DLP solutions on its endpoints and file
servers, but an adversary was able to exfiltrate data nonetheless. What
solution should the organization next consider to detect unauthorized
data exfiltration?
A. Network anomaly detection
B. Advanced antimalware
C. Endpoint firewalls
D. DDoS mitigation
 A. Network anomaly detection, including NetFlow technology, is
designed to baseline normal network behavior and report
anomalous network traffic.
B, C, and D are incorrect. B is incorrect because advanced
antimalware is not designed to detect data exfiltration. C is
incorrect because endpoint firewalls will not appreciably add to
endpoint-based data loss prevention (DLP) in terms of detecting
data exfiltration. D is incorrect because distributed denial-of-
service (DDoS) mitigation will not help with the detection of data
exfiltration.
19. At what point in the security incident response process should the
general counsel be notified?
A. During quarterly reporting of key risk indicators
B. During the post-incident review
C. When the incident is initially declared
D. When notification of regulators or external parties is likely
D. The general counsel, sometimes known as the chief legal officer,
should be notified when it is determined that there may be a need
to report the incident to regulators or other affected parties. The
general counsel is responsible for the interpretation of applicable
laws and other legal obligations (such as private contracts between
organizations) and for making decisions regarding actions required
by those laws and contracts.
A, B, and C are incorrect. A and B are incorrect because the
general counsel should be notified during serious incidents, not
after they have concluded. C is incorrect because the general
counsel does not need to be informed of minor incidents.
20. What should a security incident response plan utilize to ensure
effective notifications of internal and external parties?
A. Business continuity plan
B. Crisis response plan
C. Contact list
D. Disaster recovery plan
 B. A crisis response plan typically contains contact information for
parties to be contacted in various business emergency scenarios,
including security incidents and breaches.
A, C, and D are incorrect. A is incorrect because a business
continuity plan does not generally contain detailed information
regarding the notification of internal and external parties. C is
incorrect because a contact list does not, by itself, define which
parties are contacted, at what times, and in what circumstances. D
is incorrect because a disaster recovery plan does not generally
contain detailed information regarding the notification of other
parties.
21. An organization recently suffered a security attack in which the
attacker gained a foothold in the organization through the exploit of a
weakness in an Internet-facing system. The root-cause analysis in the
post-incident review indicated that the cause of the incident was the
lack of a particular security patch on the system that was initially
attacked. What can the security leader conclude from the root cause?
A. System engineers need additional training in patch management.
B. The firewall failed to block the attack.
C. The vulnerability management process needs to be improved.
D. The root-cause analysis was not sufficient to identify the real root
cause.
D. The root-cause analysis of this security incident is insufficient. It
is not appropriate to conclude that the breach occurred because of
the lack of a patch. Proper root-cause analysis would further ask
the following: Why was the patch missing? Why wasn’t this server
a part of the patch management process? Why did the server get
implemented without being included in the patch management
process? Why did the monthly review of patched systems miss this
new server? And why did an underqualified person perform the
monthly review? In this example string of questions, root-cause
analysis keeps asking why until no further information is available.
A, B, and C are incorrect. A is incorrect because this conclusion
cannot be reasonably reached based upon a missing patch. B is
incorrect because there is not enough information to conclude that
 a firewall rule failure was the cause of the incident. C is incorrect
because there is not enough information to say which portion of
the vulnerability management process requires improvement.
22. What compensating control is most appropriate for the absence of
encryption of backup media?
A. Store backup media in locked containers in a keycard-access
controlled room.
B. Back up sensitive data to encrypted zip archives, which are backed
up to tape.
C. Obfuscate the names of files backed up to backup media.
D. Do not permit backup media to be removed from the processing
center.
A. Improving the security of unencrypted backup media is the most
feasible compensating control. Many organizations still utilize
mainframe and midrange computer systems that do not have the
capability of encrypting backup media. But organizations, even
when using newer hardware, sometimes do not encrypt backup
media for a variety of valid reasons.
B, C, and D are incorrect. B is incorrect because there may be
insufficient resources to zip archive very large data sets. C is
incorrect because obfuscating filenames does little to protect the
information contained therein. D is incorrect because retaining
backup media in the processing center eliminates data assurance in
certain disaster scenarios in which systems and media are damaged
in the data center—for instance, in case of flood or fire.
23. The practice of proactively searching for signs of unauthorized
intrusions is known as what?
A. Geolocation
B. Password cracking
C. Threat hunting
D. Log correlation
C. “Threat hunting” is the term used to describe the activity by
which analysts use advanced tools to search for signs of possible
 intrusions into systems. An example case of threat hunting
involves the search for a specific operating system file that has a
particular checksum, indicating that it has been altered with a
specific emerging form of malware.
A, B, and D are incorrect. A is incorrect because geolocation is
concerned with the identification of the geographic location of a
subject. B is incorrect because password cracking is used to derive
passwords from a hashed or encrypted password archive. D is
incorrect because log correlation is an activity performed by a
SIEM to identify potential intrusions or other unauthorized
activity.
24. A SaaS-based e-mail services provider backs up its customer data
through the replication of data from one storage system in the main
processing center to another storage system in an alternative processing
center. This data assurance architecture leaves the organization
vulnerable to what type of attack?
A. LUN spoofing
B. Supply chain
C. Smurf
D. Ransomware
D. An organization that replicates data from one storage system to
another is likely to be vulnerable to ransomware: storage systems
will likely replicate the destructive encryption from the main
storage system to other storage systems. This would result in no
source of undamaged files from which to recover.
A, B, and C are incorrect. A is incorrect because LUN spoofing is a
fictitious term. B is incorrect because a supply chain attack is an
attack on a manufacturing company in an attempt to alter or
substitute components in a manufactured product (which can
include software) for malicious reasons. C is incorrect because a
Smurf attack is an attack in which large numbers of ICMP packets
with the intended target source IP are broadcast to a network using
an IP broadcast address.
25. An organization’s SIEM has generated alerts suggesting a user’s
 workstation is being attacked by ransomware. What steps should be
taken in an effort to contain the incident?
A. Disconnect the user’s workstation from the network.
B. Disconnect the user’s workstation from the network and lock the
user’s account.
C. Lock the user’s account and scan the network for other infected
systems.
D. Pay the ransom and obtain decryption keys to recover lost data.
B. Disconnecting the user’s workstation and locking the user’s
account are the best first steps for containment. If the malware is
running on the workstation, disconnecting it should prevent the
loss of data on file shares that the user is permitted to access.
Locking the user’s account will help to slow down instances of
malware that may be present on other systems.
A, C, and D are incorrect. A is incorrect because there may be
other instances of malware running under the user’s account on
other systems. C is incorrect because although the user’s account
should be locked right away, scanning for other infected systems is
a reasonable step later in the containment phase. D is incorrect
because paying a ransom does not facilitate data recovery in about
half of all ransomware cases.
26. What is the likely role of the chief marketing officer in an information
security incident?
A. Keep records of security incident proceedings.
B. Update marketing collateral to state that security is important to the
organization.
C. Notify regulators of the incident.
D. Develop press releases that describe the incident and the
organization’s response to it.
D. One activity that the chief marketing officer will perform is the
development and distribution of press releases that describe the
incident and the steps that the organization is taking to contain it
and recover from it. Ideally, generic versions of these press
releases are written during incident response plan development.
 A, B, and C are incorrect. A is incorrect because a marketing
person is an unlikely choice to serve as the incident response
team’s scribe. B is incorrect because such collateral updates are not
a part of incident response, but activities that take place whenever
the organization wishes to update its marketing messaging. C is
incorrect because it is more likely that senior executives or the
general counsel will be notifying regulators.
27. An organization has determined that there are no resources who have
experience with malware reverse engineering and analysis. What is the
organization’s best short-term remedy for this deficiency?
A. Employ log correlation and analysis on the SIEM.
B. Obtain tools that perform malware reverse engineering.
C. Obtain an incident response retainer from a qualified security
consulting firm.
D. Train incident responders in malware analysis.
C. The best short-term solution is to obtain a retainer from a
security incident response firm that has staff and tooling available
for this purpose. A viable long-term remedy may include training
of in-house staff and acquisition of malware analysis tools.
A, B, and D are incorrect. A is incorrect because log correlation
and analysis on a SIEM will not contribute to the cause of malware
analysis. B is incorrect because malware analysis tools are not
helpful if personnel are not trained in their use. D is incorrect
because training is not a viable short-term remedy.
28. Why should forensic analysis tools not be placed on incident
responders’ daily-use workstations?
A. Workstations would become too costly and be a theft risk.
B. Incident responders will not be able to complete daily tasks during
incident response.
C. Daily-use workstations do not have sufficient RAM capacity.
D. Daily-use activities may influence forensic tools and cast doubt on
their integrity.
D. The rule of forensic analysis tools is that they must be run on
 dedicated, isolated systems that are used for no other purpose.
Only this will instill confidence that other activities cannot
influence the outcome of forensic investigations.
A, B, and C are incorrect. A is incorrect because theft risk is not a
significant risk; still, it can be mitigated through secure storage of
forensic computers. B is incorrect because this does not address the
need for system isolation. C is incorrect because RAM capacity
does not address the need for the forensic analysis system to be
isolated from other activities.
29. A post-incident-review process addresses all of the following except
which one?
A. Root-cause analysis
B. Selection of future incident response personnel
C. Potential improvements in preventive and detective controls
D. Potential improvements in security incident response procedures
B. The selection of future incident response personnel is not likely
to be included in a post-incident review. But on the topic of
incident response personnel, issues of their training and knowledge
may be discussed if there is a need for improvement.
A, C, and D are incorrect. A is incorrect because a sound incident
response post-incident review will include root-cause analysis to
identify the root cause of the incident. C is incorrect because a
post-incident review will strive to identify improvements in
controls to increase awareness of an incident and reduce its impact
and probability of occurrence. D is incorrect because a post-
incident review attempts to find improvement opportunities in the
incident review process itself.
30. Which of the following techniques best describes the impact of a
security incident on management?
A. Hard costs and soft costs
B. Hard costs, soft costs, and qualitative impacts
C. The total of all outsourced professional services
D. The total of all hardware replacement for affected systems
 B. Because the costs and impact of a security incident can vary, the
best approach is to report on specific hard costs, including
professional services, tooling, and equipment, as well as soft costs,
including the labor hours by in-house staff, together with
qualitative impacts such as market share or reputation damage that
are difficult to quantify.
A, C, and D are incorrect. A is incorrect because hard costs and
soft costs ignore qualitative impacts such as loss of market share
and reputational damage. C is incorrect because the cost of
outsourced services probably does not represent the totality of hard
costs, and it does not represent qualitative impact such as
reputation. D is incorrect because hardware replacement, when it is
needed at all, is probably a small portion of the total cost of an
incident.
31. For what reason(s) would an IT service desk incident ticketing system
be inappropriate for the storage of information related to security
incidents?
A. Automatic escalations would be timed incorrectly.
B. A service desk incident ticketing system is designed for a different
purpose.
C. Sensitive information about an incident would be accessible to too
few personnel.
D. Sensitive information about an incident would be accessible to too
many personnel.
D. The primary reason why an IT service desk incident ticketing
system would not be used for security incidents is the potential for
highly sensitive information in the ticketing system being available
to all service desk and other IT personnel. A potential compromise
is to record all incidents in the service desk ticketing system but
store the most sensitive information (such as suspected personnel
in an insider event or details about sensitive affected data or
sensitive exploit information) elsewhere and reference it in the
ticketing system.
A, B, and C are incorrect. A is incorrect because escalations can
often be customized for incidents of various types and severities. B
 is incorrect because an IT service desk incident ticketing system is
an appropriate system for tracking security incidents. C is incorrect
because details about a security incident should not be widely
available.
32. At what point during security incident response should law
enforcement be contacted?
A. When root-cause analysis during post-incident review identifies
that a law has been broken
B. When directed by the incident response plan and approved by the
incident response commander
C. When directed by the incident response plan and approved by the
general counsel
D. When the incident response commander determines a law has been
broken
C. Law enforcement should be contacted when the incident
response plan suggests such contact and when the general counsel
has specifically approved it.
A, B, and D are incorrect. A is incorrect because a post-incident
review is generally far too late to notify law enforcement. B and D
are incorrect because the incident commander is not the
appropriate party to approve contact with law enforcement.
33. SOC operators and the incident response team have confirmed that an
intruder has successfully compromised a web server and is logged in to
it. The IR team wants to take steps to contain the incident but doesn’t
want to disrupt operations unnecessarily. What approach should the IR
team take?
A. Test the proposed changes in a test environment first.
B. Take containment steps as quickly as possible.
C. Lock the user account and reboot the server.
D. Turn on firewall debugging.
A. When an incident response team is attempting to remove an
intruder from a live system, it is often best first to test any changes
in a test environment to understand the actual impact of such
 removal.
B, C, and D are incorrect. B is incorrect because hastily made
containment steps may disrupt the operations of the system. C is
incorrect because rebooting the server may have a significant
impact on operations (it is not revealed whether the affected server
has no counterparts or is part of a server farm). D is incorrect
because firewall debugging is not likely to help in incident
containment.
34. All of the following are metrics for security incident response, except
which one?
A. Dwell time
B. Lag time
C. Containment time
D. Time to notify affected parties
B. “Lag time” is not a common term in information security
metrics and is not likely to be reported.
A, C, and D are incorrect. A is incorrect because dwell time, or the
time that elapses between the start of an incident and the
organization’s awareness of the incident, is a common and
meaningful metric. C is incorrect because containment time is a
common and meaningful metric. D is incorrect because the time to
notify affected parties is a common and meaningful metric.
35. An organization recently suffered a significant security incident. The
organization was surprised by the incident and believed that this kind
of event would not occur. To avoid a similar event in the future, what
should the organization do next?
A. Commission an enterprise-wide risk assessment.
B. Commission a controls maturity assessment.
C. Commission an internal and external penetration test.
D. Commission a controls gap assessment.
A. An enterprise-wide risk assessment is the best option here so
that risks of all kinds can be identified and remedies suggested for
mitigating them.
 B, C, and D are incorrect. B is incorrect because it’s possible that
there are missing controls; a controls maturity assessment takes too
narrow a view here and focuses only on existing controls, when the
problem might be controls that are nonexistent. C is incorrect
because the nature of the incident is unknown and may not be
related to technical vulnerabilities that a penetration test would
reveal (for example, it may have been phishing or fraud). D is
incorrect because a controls gap assessment takes too narrow a
view here and focuses only on existing controls, when the problem
might be controls that are nonexistent.
36. Security analysts in the SOC have noticed that the organization’s
firewall is being scanned by a port scanner in a hostile country.
Security analysts have notified the security manager. How should the
security manager respond to this matter?
A. Declare a high-severity security event.
B. Declare a low-severity security event.
C. Take no action.
D. Direct the SOC to block the scan’s originating IP address.
D. The best course of action is to block the IP address that is the
origination of the port scan. However, even this may not be
necessary because a port scan is not, by itself, a serious matter.
However, it may represent reconnaissance by an intruder that is
targeting the organization.
A, B, and C are incorrect. A is incorrect because a port scan is not a
high-severity security matter. B is incorrect because this is not the
best answer; however, some organizations might consider a port
scan a low-level security incident and respond in some way, such
as blocking the IP address. C is incorrect because taking no action
at all is not the best course of action.
37. Security analysts in the SOC have noticed a large volume of phishing
e-mails that originate from a single “from” address. Security analysts
have notified the security manager. How should the security manager
respond to the matter?
A. Declare a high-level security incident.
 B. Block all incoming e-mail from that address at the e-mail server or
spam filter.
C. Issue an advisory to all employees to be on the lookout for
suspicious messages and to disregard them.
D. Block the originating IP address.
B. Of the choices available, the best one is to block any new
incoming e-mail messages from the offending e-mail address. A
better solution would be the use of a system that would do this
automatically, as well as retrieve any offending messages already
delivered to some users before the message was recognized as
harmful.
A, C, and D are incorrect. A is incorrect because this is not the best
choice. However, depending on the nature of the threat (which is
not revealed in this question), if the phishing is known to carry a
malicious payload known to infect user machines successfully in
the organization, then perhaps a high-severity incident is the right
course of action. C is incorrect because this is not the best choice.
However, in the absence of antiphishing controls, this may be the
organization’s best choice. D is incorrect because this is not the
best choice; the adversary may be able to continue sending e-mails
from different servers.
38. Why is hardware asset inventory critical for the success of security
incident response?
A. Critical processes such as software asset and software licensing
depend upon accurate asset inventory.
B. Incident responders can better understand what assets may be
involved in an incident.
C. Vulnerability scans need to cover all hardware assets so that all
assets are scanned.
D. Penetration tests need to cover all hardware assets so that all assets
are scanned.
B. During a security incident, an accurate, complete, and up-to-date
asset inventory can help incident responders respond more
effectively during a security incident.
 A, C, and D are incorrect. A is incorrect because software
inventory, while important for security operations, is not as
important as vulnerability management, event management, and
malware control. C and D are incorrect because vulnerability
management and penetration tests, while important, are only a
portion of critical activities that depend upon effective asset
management.
39. Of what possible value is system classification in the context of
security incident response?
A. System classification informs incident responders on what
information is stored in systems.
B. System classification helps incident responders better understand
the relative importance of systems.
C. System classification helps incident responders understand
dependencies between systems.
D. System classification informs incident responders of the location
of systems.
B. System classification helps incident responders better
understand the relative importance of various systems. This may
play a role in incident escalation or communication.
A, C, and D are incorrect. A is incorrect because system
classification may not indicate anything about information stored
on, or processed by, a system. C is incorrect because system
classification does not generally indicate dependencies. D is
incorrect because system classification does not generally reveal
location information.
40. The corporate controller in an organization notified the CISO that an
employee recently received an e-mail from the CEO with instructions
to wire a large amount of money to an offshore bank account that is
part of secret merger negotiations. The corporate controller has
determined that this was a fraudulent transaction. How should the
CISO respond?
A. Declare a security incident.
B. Call the bank.
 C. Notify law enforcement.
D. Conduct a reverse wire transfer.
A. The best course of action is to declare a security incident, so that
appropriate incident responders can begin an investigation and
notify other parties, such as the legal department.
B, C, and D are incorrect. B is incorrect because a security incident
should first be declared. It is likely that the bank will soon be
notified as a part of incident response proceedings. C is incorrect
because a security incident should first be declared. Instructions in
the incident response plan will determine who is authorized to
approve notifications to outside parties, including law
enforcement. D is incorrect because there is no such transaction as
a reverse wire transfer.
41. A SOC analyst is using a system to perform queries to determine
whether any specific types of attacks or intrusions have occurred in the
organization. What is the SOC analyst doing?
A. Performing a penetration test
B. Conducting threat hunting
C. Performing a vulnerability scan
D. Conducting threat modeling
B. The process of looking for signs of intrusions is known as threat
hunting.
A, C, and D are incorrect. A is incorrect because a penetration test
is an activity used to identify and confirm exploitable
vulnerabilities in one or more systems. C is incorrect because a
vulnerability scan is an activity used to identify vulnerabilities in
one or more systems (and often is the first stage of a penetration
test). D is incorrect because threat modeling is an activity where
various types of threat scenarios are identified to determine
whether any are likely to occur.
42. A SOC analyst is using a tool to identify potential weaknesses in one or
more information systems. What is the SOC analyst doing?
A. Performing a penetration test
 B. Conducting threat hunting
C. Performing a vulnerability scan
D. Conducting threat modeling
C. The process of identifying potential weaknesses is known as a
vulnerability scan.
A, B, and D are incorrect. A is incorrect because a penetration test
is an activity used to identify and confirm exploitable
vulnerabilities in one or more systems. B is incorrect because
threat hunting is the process of looking for signs of intrusions. D is
incorrect because threat modeling is an activity where various
types of threat scenarios are identified to determine whether any
are likely to occur.
43. Why is it important to take long-term steps to reduce dwell time?
A. Forensic imaging will take less time to acquire.
B. Vulnerability scans will take less time to complete.
C. Organizations will be aware of security vulnerabilities earlier.
D. Organizations will be aware of security incidents earlier.
D. Dwell time is the time between the onset of a security incident
and the organization’s realization of the security incident.
Reducing dwell time enables the organization to take containment
and eradication steps earlier, often resulting in less damage and
disruption.
A, B, and C are incorrect. A is incorrect because dwell time is not
related to forensic imaging. B is incorrect because dwell time is not
related to vulnerability scans. C is incorrect because dwell time is
not related to an organization’s realization of vulnerabilities, but of
security incidents.
44. A chain of custody should be established for all of the following
situations, except:
A. Computer intrusion by an external adversary
B. Employee terminated for lack of computer skills
C. Data theft perpetrated by an insider
D. Employee terminated for security policy violation
 B. A situation where an organization is terminating an employee
for lack of computer skills is not likely to require a chain of
custody, because a skill or performance gap is not usually
associated with a security incident requiring a chain of custody.
A, C, and D are incorrect. A is incorrect because a computer
intrusion by an external adversary may require a chain of custody
should law enforcement want to prosecute the intruder. C is
incorrect because data theft perpetrated by an insider is a scenario
likely to require a chain of custody. D is incorrect because an
employee terminated for security policy violations is a scenario
likely to require a chain of custody, should the former employee
later sue the employer for wrongful termination.
45. How are the crisis management and security incident response
functions related?
A. Security incident response leverages crisis management’s
escalation model.
B. Crisis management and security incident response are not related.
C. Crisis management directs security incident response proceedings.
D. Crisis management leverages security incident response’s
escalation model.
A. In an organization with crisis management, a security incident
response plan will borrow from, or utilize, incident escalation and
other features from the crisis management plan, as opposed to
developing a similar, yet separate, escalation plan.
B, C, and D are incorrect. B is incorrect because security incident
response and crisis management are related, as both are concerned
with the principles and procedures to be followed in a business
emergency. C is incorrect because crisis management, which is a
general business emergency plan, will not include the detail
present in a security incident response plan. D is incorrect because
a crisis management plan will not typically borrow techniques
from a security incident response plan.