Which of the following would BEST demonstrate the maturity level of an organization's security incident response program?

A. An increase in the number of reported incidents
B. A decrease in the number of reported incidents
C. A documented and live-tested incident response process
D. Ongoing review and evaluation of the incident response team

When responding to an incident, which of the following is required to ensure evidence remains legally admissible in court?

A. Law enforcement oversight
B. Chain of custody
C. A documented incident response plan
D. Certified forensics examiners

An organization's security was compromised by outside attackers. The organization believed that the incident was resolved. After a few days, the IT staff is still noticing unusual network traffic. Which of the following is the BEST course of action to address this situation?

A. Initiate the incident response process.
B. Identify potential incident impact.
C. Implement additional incident response monitoring tools.
D. Assess the level of the residual risk.

The head of a department affected by a recent security incident expressed concern about not being aware of the actions taken to resolve the incident. Which of the following is the BEST way to address this issue?

A. Ensure better identification of incidents in the incident response plan.
B. Discuss the definition of roles in the incident response plan.
C. Require management approval of the incident response plan.
D. Disseminate the incident response plan throughout the organization.

What is the PRIMARY purpose of communicating business impact to an incident response team?

A. To provide monetary values for post-incident review
B. To provide information for communication of incidents
C. To facilitate resource allocation for preventive measures
D. To enable effective prioritization of incidents

Which of the following techniques is MOST useful when an incident response team needs to respond to external attacks on multiple corporate network devices?

A. Penetration testing of network devices
B. Vulnerability assessment of network devices
C. Endpoint baseline configuration analysis
D. Security event correlation analysis

Which of the following is the PRIMARY goal of an incident response team during a security incident?

A. Ensure the attackers are detected and stopped
B. Minimize disruption to business-critical operations
C. Maintain a documented chain of evidence
D. Shut down the affected systems to limit the business impact

Which of the following should be communicated FIRST to senior management once an information security incident has been contained?

A. Whether the recovery time objective was met
B. A summary of key lessons learned from the incident
C. The initial business impact of the incident
D. Details on containment activities

An information security manager is reviewing the organization’s incident response policy affected by a proposed public cloud integration. Which of the following will be the MOST difficult to resolve with the cloud service provider?

A. Accessing information security event data
B. Regular testing of incident response plan
C. Obtaining physical hardware for forensic analysis
D. Defining incidents and notification criteria

Which of the following would be the MOST effective incident response team structure for an organization with a large headquarters and worldwide branch offices?

A. Centralized
B. Coordinated
C. Outsourced
D. Decentralized