Which of the following is MOST important for effective communication during incident response?

A. Maintaining a relationship with media and law enforcement
B. Maintaining an updated contact list
C. Establishing a recovery time objective (RTO)
D. Establishing a mean time to resolve (MTTR) metric

After a security incident has been contained, which of the following should be done FIRST?

A. Conduct forensic analysis
B. Notify local authorities
C. Restore the affected system from backup
D. Perform a complete wipe of the affected system

Which of the following BEST enables a more efficient incident reporting process?

A. Training executive management for communication with external entities
B. Educating the incident response team on escalation procedures
C. Educating IT teams on compliance requirements
D. Training end users to identify abnormal events

An information security manager has been alerted to a possible incident involving a breach at one of the organization's vendors. Which of the following should be done FIRST?

A. Discontinue the relationship with the vendor.
B. Perform incident recovery.
C. Perform incident eradication.
D. Engage the incident response team.

An information security manager has discovered a potential security breach in a server that supports a critical business process. Which of the following should be the information security manager's FIRST course of action?

A. Shut down the server in an organized manner.
B. Validate that there has been an incident.
C. Inform senior management of the incident.
D. Notify the business process owner.

An organization's information security manager is performing a post-incident review of a security incident in which the following events occurred:

• A bad actor broke into a business-critical FTP server by brute forcing an administrative password
• The third-party service provider hosting the server sent an automated alert message to the help desk, but was ignored
• The bad actor could not access the administrator console, but was exposed to encrypted data transferred to the server
• After three (3) hours, the bad actor deleted the FTP directory causing incoming FTP attempts by legitimate customers to fail

Which of the following poses the GREATEST risk to the organization related to this event?

A. Removal of data
B. Downtime of the service
C. Disclosure of stolen data
D. Potential access to the administration console

When establishing classifications of security incidents for the development of an incident response plan, which of the following provides the MOST valuable input?

A. Recommendations from senior management
B. The business continuity plan (BCP)
C. Business impact analysis (BIA) results
D. Vulnerability assessment results

An information security manager has been tasked with developing materials to update the board, regulatory agencies, and the media about a security incident. Which of the following should the information security manager do FIRST?

A. Invoke the organization's incident response plan.
B. Set up communication channels for the target audience.
C. Determine the needs and requirements of each audience.
D. Create a comprehensive singular communication.

Which of the following should be done FIRST when handling multiple confirmed incidents raised at the same time?

A. Activate the business continuity plan (BCP).
B. Update the business impact assessment.
C. Inform senior management.
D. Categorize incidents by the value of the affected asset.

An organization utilizes a third party to classify its customers' personally identifiable information (PII). What is the BEST way to hold the third party accountable for data leaks?

A. Include detailed documentation requirements within the formal statement of work.
B. Submit a formal request for proposal (RFP) containing detailed documentation of requirements.
C. Ensure a nondisclosure agreement is signed by both parties' senior management.
D. Require the service provider to sign off on the organization's acceptable use policy.