My first answer was C but… from CISM Review Manual 16th Edition: Containment—After an incident has been identified
and confirmed, the IMT is activated and information
from the incident handler is shared. The team will
conduct a detailed assessment and contact the
system owner or business manager of the affected
information systems/assets to coordinate further
action. The action taken in this phase is to limit the
exposure. Activities in this phase include:
Activating the IMT/IRT to contain the incident
Notifying appropriate stakeholders affected by
the incident
Obtaining agreement on actions taken that may
affect availability of a service or risk of the
containment process
If the incident is verified, and it is not an event. As an information, security manager, not in an operational or technical role, the correct answer would be B. This question is vague and doesn’t clarify your role. The first action to perform after an incident is verified, is to prevent further damage to the organization. But that is an operational and technical role. it is asking for the most important, Not the first thing to do. The most important thing a security manager would be doing for this incident is informing the key stakeholders.
The Best answer remaining is C: because . notifying the relevant senior management personnel according to the organization's pre-defined escalation policy, providing details about the incident's nature, impact, and current response actions being taken. After the incident that has been verified, the security manager should "contain" the incident by isolating compromised systems, networks, or accounts to prevent further damage and preserve evidence, then move on to eradication and recovery phases to eliminate the threat and restore normal operations.
You need to contact the right people in order to see how you can contain. What if it's a production system that cannot be isolated or similar? First ask then act
If they had said what does an Information security manager do it would be to escalate to stakeholders but it says what would you do after the incident has been verified..i think it clearly is testing your awareness of the incident response process in this instance specifically. my opinion tho.
Although you do have to wear you "manager hat" for this exam, I'm gonna go with C here, as it seems to me that the question is basically asking about the steps/phases of incident response. The question explicitly says that you have identified and confirmed the incident taking place giving you the initial phase of IR and asking "what now?". Well, the next step is to contain it and stop it from doing further damage and only then you inform the appropriate people.
Note that question is quite vague when defining the incident - we don't know what type of incident it is (is it a ransomware, is someone breaking AUP by taking photos inside the secure environment, etc). So that's why it is very tempting to select B. Again, going with C, but not 100% sure.
I think a common issue is people are thinking in technical terms. We have to think as a manager. The manager isn't stopping anything, they're directing people under them to do their job.
So I would say B is correct
I agree, but you are ultimately responsible. In front of a court, you will be sued if, instead of preventing the incident from spreading, you call your superior; prevent does not mean that you should go and directly act on the field, but you have to activate your team to do so, and you are the ultimate responsible. If a boat is sinking because of a flaw, your first course of action is to organize to contain the flaw, put people in a safe position and then notify your superior on the land.
I thought B as well, but what if there was an incident confirmed in a credit card database, first step is to notify the data owner. And incident doesn't mean attack, there may be nothing to contain.
there is always containment after an incident t
his involves taking swift action to stop the attack, limit its spread, and mitigate its impact on the organization's systems, data, and operations.
C. Prevent the incident from creating further damage to the organization.
While all the options listed are important, preventing further damage is the top priority. Once the incident has been confirmed, it's crucial to take immediate steps to contain and mitigate the threat to minimize any additional harm to the organization's systems, data, and reputation. After containment and mitigation efforts are underway, you can then proceed with the other steps, such as notifying law enforcement, informing key stakeholders, and conducting a forensic investigation to determine the root cause.
Response B attending that the escalation process and communicated information allow the key stakeholders to assess the consequences of a containment on their operations. Otherwise response C is better.
The first phase after an incident has been detected is containment. Informing the required stakeholders according to the escalation procedures comes next.
On similar questions, when having a different phrasing for the general "incident" and stating explicitly "ransomware" the obvious answer was to contain the incident and prevent the incident from spreading
This section is not available anymore. Please use the main Exam Page.CISM Exam Questions
Log in to ExamTopics
Sign in:
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.
Upvoting a comment with a selected answer will also increase the vote count towards that answer by one.
So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.
trev0r
Highly Voted 2 years, 8 months ago[Removed]
1 year, 12 months agoBan12345
1 year, 5 months agoZiggybooboo
2 years, 7 months agoAgamennore
Highly Voted 1 year, 9 months agoNoragretz
Most Recent 5 months ago[Removed]
7 months, 4 weeks agoMarcelus1714
1 year, 3 months agoe891cd1
1 year, 4 months agoAlexJacobson
1 year, 5 months agolearntstuff
1 year, 6 months agopvitale
4 months, 1 week agoCyberbug2021
1 year, 7 months ago[Removed]
1 year, 7 months agoPerseus_68
1 year, 8 months agoe891cd1
1 year, 4 months agooluchecpoint
1 year, 9 months agotodush
1 year, 10 months agoDavoA
1 year, 11 months agoAndreu
1 year, 12 months agoMonkey2173
2 years agoWeldy_B
2 years ago