Which of the following is the MAIN purpose of implementing an incident response process?

A. Provide substantial audit-trail evidence.
B. Assign roles and responsibilities.
C. Comply with policies and procedures.
D. Manage impact due to breaches.

The PRIMARY reason an IS department should analyze past incidents and problems is to:

A. determine if all incidents and problems are reported.
B. assign responsibility for problems.
C. assess help desk performance.
D. identify the causes of recurring incidents and problems.

An IS auditor has discovered that unauthorized customer management software was installed on a workstation. The auditor determines the software has been uploading customer data to an external party. Which of the following is the IS auditor’s BEST course of action?

A. Review other workstations to determine the extent of the incident.
B. Determine the number of customer records that were uploaded.
C. Notify the incident response team.
D. Present the issue at the next audit progress meeting.

Which of the following is MOST important for the improvement of an organization’s incident response processes?

A. Post-event reviews by the incident response team
B. Regular upgrades to incident management software
C. Ongoing incident response training for users
D. Periodic walk-through of incident response procedures

The MAIN reason an organization’s incident management procedures should include a post-incident review is to:

A. ensure evidence is collected for possible post-event litigation.
B. take appropriate action when procedures are not followed.
C. enable better reporting for executives and the audit committee.
D. improve processes by learning from identified weaknesses.

Which of the following metrics would be MOST helpful to an IS auditor in evaluating an organization’s security incident response management capability?

A. Number of business interruptions due to IT security incidents per year.
B. Number of IT security incidents reported per month
C. Number of malware infections in business applications detected per day.
D. Number of alerts generated by intrusion detection systems (IDS) per minute.

Which of the following is the BEST indication of an effective incident management process?

A. Percentage of incidents where root cause has been identified
B. Percentage of incidents closed without escalation
C. Number of calls to the help desk
D. Number of incidents reviewed by the IT management

An IS auditor reviewing security incident processes realizes incidents are resolved and closed, but root causes are not investigated. Which of the following should be the MAJOR concern with this situation?

A. Abuses by employees have not been reported.
B. Vulnerabilities have not been properly addressed.
C. Security incident policies are out of date.
D. Lessons learned have not been properly documented.

Which of the following is MOST important to include in an organization’s incident response plan to help prevent similar incidents from happening in the future?

A. Documentation of incident details
B. Incident closure procedures
C. Containment and neutralization actions
D. Post-incident review

An organization recently experienced a phishing attack that resulted in a breach of confidential information. Which of the following would be MOST relevant for an IS auditor to review when determining the root cause of the incident?

A. Email configurations
B. Simple mail transfer protocol (SMTP) logging
C. Browser configurations
D. Audit logging