Incident Management
Drill 20 practice questions focused entirely on Incident Management for the ISACA CISM exam. Tap an answer for instant feedback and a full explanation — no sign-up, always free.
During a business impact analysis (BIA) for a manufacturing company, the information security manager finds that the finance department claims its payroll system is the most critical asset requiring the shortest recovery time. However, an operations manager insists the production control system must be restored first, as a shutdown halts all revenue-generating output within hours. The two departments cannot agree on relative priority. What is the security manager's BEST next step to resolve the conflict and produce a defensible BIA?
During the investigation of a suspected fraud incident, a security analyst copies key log files and a disk image from the affected server to a shared network folder so that several team members can review them simultaneously. The incident may later result in legal action against an employee. From an evidence-handling perspective, what is the MOST significant problem with the analyst's action?
During a disaster recovery test, the information security manager observes that a critical order-processing system was restored and made operational within 5 hours, meeting its documented 6-hour recovery time objective (RTO). However, the recovered database was missing the last 3 hours of transactions before the outage, while the documented recovery point objective (RPO) for that system is 30 minutes. Which of the following is the MOST important conclusion the security manager should draw from this test result?
An organization's help desk logs all reported events into a ticketing system. The information security manager notices that unrelated events—malware alerts, data exposure reports, and phishing attempts—are all handled by the same generic workflow, causing specialized teams to be engaged inconsistently. Which improvement to the incident management process would MOST directly address this problem?
During a security event, a SOC analyst detects unusual outbound traffic from a server that hosts a customer-facing payment application. The analyst is unsure how urgently to escalate and which stakeholders to notify. Which activity, if performed FIRST, would BEST determine the appropriate escalation path and response resources?
During a major data breach affecting customers, a journalist calls a help-desk technician directly and asks for confirmation of the number of records exposed. The technician is aware of internal chatter about the incident. What should the incident response plan direct the technician to do?
A security analyst at a financial services firm notices unusual outbound traffic from a database server during routine monitoring. The analyst is unsure whether this rises to the level of a formal security incident that should activate the incident response team. Which of the following would MOST effectively help the analyst make this determination consistently?
During a contained malware incident, the response team discovers the infection has spread to the systems supporting the organization's primary customer-facing platform, and full restoration is now expected to exceed the documented maximum tolerable downtime. As the information security manager, what is the MOST appropriate next action?
A SOC analyst receives an automated alert from the intrusion detection system indicating possible lateral movement on an internal subnet. Before any containment actions are taken, what should the analyst do FIRST?
A security manager wants to improve the organization's ability to detect intrusions early. The SIEM currently generates thousands of alerts daily, but most are false positives, and a recent breach went undetected for weeks because malicious activity blended in with normal traffic. Which action would MOST effectively improve the organization's detection capability?
Six months after deploying a SIEM, the incident response team reports that analysts are ignoring most alerts because the vast majority turn out to be benign, and a recent malware infection went unnoticed for two weeks despite generating log entries. Which action should the information security manager prioritize to improve incident detection effectiveness?
During a security incident, the response team has successfully contained a compromised web server by isolating it from the network. Application services are being restored to a standby environment to maintain business operations. Before declaring the incident resolved, the incident manager insists on one additional step during the eradication phase. Which action is MOST important to complete before recovery is finalized?
During a confirmed intrusion, an attacker has established a foothold on a single server in a segmented DMZ but has not yet moved laterally. The incident response team is under pressure from operations to keep the customer-facing application online. The information security manager must decide on a containment strategy. Which factor should MOST influence the choice between immediate isolation and delayed containment?
A security analyst receives multiple SIEM alerts indicating suspicious lateral movement across several servers in a data center. The incident response team has confirmed the activity is malicious. Before selecting a containment approach, what is the MOST important activity the team should complete during the analysis phase?
A newly appointed information security manager reviews the organization's incident management capability and finds that the response team performs well during active incidents but consistently struggles because tools, access credentials, and contact lists are gathered on the fly. Which phase of the incident management lifecycle should the manager strengthen FIRST to address the root cause of these repeated struggles?
Following a sophisticated malware incident, the response team has removed the malicious code, patched the exploited vulnerability, and restored affected systems from clean backups. Business operations have resumed normally. Before formally declaring the incident closed, what should the incident manager ensure is done FIRST?
Following a widespread malware outbreak that forced a shutdown of multiple systems, the incident response team has completed eradication and validated that all affected hosts are clean. The information security manager must now guide the recovery phase. Several business units are demanding immediate restoration of their applications. What should PRIMARILY determine the sequence in which systems are brought back online?
Following the eradication of malware from a compromised customer-facing application, the incident response team has rebuilt the affected servers from known-good images. The business unit is pressuring the information security manager to return the application to production immediately to minimize revenue loss. Before authorizing the transition of the system back to normal operations, what should the information security manager ensure has been established FIRST?
During a malware incident, the incident response team has isolated the affected servers and removed the identified malicious files. Management is pressuring the information security manager to restore the servers to production immediately to minimize downtime. What should the information security manager do BEFORE authorizing recovery to production?
During a post-incident review, an information security manager discovers that the organization detected a sophisticated intrusion three weeks after the initial compromise, well after data had been exfiltrated. The SIEM was properly tuned and alerts were triaged promptly, but no rule existed to detect the specific attacker technique used. Which improvement would MOST effectively reduce the detection time for similar future attacks?
More CISM practice
Keep going with the other ISACA CISM — Certified Information Security Manager domains, or take a full timed mock exam.
← Back to CISM overview