Exam CISM topic 1 question 388 discussion

C. Define incident classification. One of the key things that management can do to rectify the issue of key stakeholders taking too long to decide whether an application should be shut down following a security breach is to define incident classification. Incident classification is the process of categorizing incidents based on their severity and potential impact on the organization. By clearly defining the different levels of incidents, management can establish clear criteria for when an application should be shut down and can ensure that key stakeholders are aware of these criteria. This will help to ensure that decisions regarding application shutdowns are made quickly and effectively in the event of a security breach, which is crucial for containing the damage and minimizing the impact of the incident.

This is A. Improve incident response criteria. If stakeholders are stuck debating instead of acting, the criteria weren’t clear or actionable enough. The issue here is delayed decision making none of the other answers are helping on this.

IMHO is D, it’s required a different containment provedure

The more accurate response would be D. They could not decide ifvthe app should be shutdown, that sould be defined in the containment prosedure, leaving no room for debate.

Shit question. Literally both A and C are defined in the official textbook as something that could be right. A. Improve incident response criteria: The Manual notes that clear criteria for classifying and escalating incidents is vital for effective incident response (Domain 3, p. 122). C. Define incident classification: Incident classification is part of incident response planning and can help in quicker decision-making (Domain 3, p. 122). That being said... It say classification CAN help not that it WILL help, whereas it's feelings toward response criteria is more definitive.

D. Establish containment procedures.

Most incidents require containment, so that is an important consideration early in the course of handling each incident. Containment provides time for developing a tailored remediation strategy. An essential part of containment is decision-making (e.g., shut down a system, disconnect it from a network, or disable certain functions). Such decisions are much easier to make if there are predetermined strategies and procedures for containing the incident. Organizations should define acceptable risks in dealing with incidents and develop strategies accordingly. Containment strategies vary based on the type of incident. For example, the strategy for containing an email-borne malware infection is quite different from that of a network-based DDoS attack. Organizations should create separate containment strategies for each major incident type, with criteria documented clearly to facilitate decision-making.” So the Option is D

The BEST course of action for management to rectify the issue of key stakeholders taking longer than acceptable to decide whether an application should be shut down following a security breach is to improve incident response criteria. By improving the incident response criteria, the decision-making process will become clearer and more efficient, allowing key stakeholders to make quicker decisions. This can include defining the decision-making process, establishing criteria for when an application should be shut down, and providing training to stakeholders on how to make effective decisions in incident response scenarios.

The correct answer is (A) Improve incident response criteria, cause it is the only answer that is looking to improve the decision-making process by providing a set of criteria by which a decision can be made. With a clear process saying when containment should take place, the response process should be much faster. Rationale: B. Improve incident response testing is great, but every incident is different and without a clear guideline of how to proceed the same problem will persist. C. Define incident classification say what type of incident it is, but doesn't provide any guidance on how to do containment or when. That is what (A) is for. D. Establish containment procedures is important for containment, but this comes after (A) has been done. Thus why (A) is more important.

Why not D ?