After the occurrence of a major information security incident, which of the following will BEST help an information security manager determine corrective actions?

A. Calculating cost of the incident
B. Conducting a postmortem assessment
C. Preserving the evidence
D. Performing am impact analysis

Which of the following BEST contributes to the successful management of security incidents?

A. Established procedures
B. Established policies
C. Tested controls
D. Current technologies

Which of the following is the PRIMARY responsibility of the designated spokesperson during incident response testing?

A. Communicating the severity of the incident to the board
B. Establishing communication channels throughout the organization
C. Evaluating the effectiveness of the communication processes
D. Acknowledging communications from the incident response team

A user reports a stolen personal mobile device that stores sensitive corporate data. Which of the following will BEST minimize the risk of data exposure?

A. Wipe the device remotely.
B. Remove user’s access to corporate data.
C. Prevent the user from using personal mobile devices.
D. Report the incident to the police.

Which of the following is the MOST important reason to consider the role of the IT service desk when developing incident handling procedures?

A. Service desk personnel have information on how to resolve common systems issues.
B. The service desk provides a source for the identification of security incidents.
C. The service desk provides information to prioritize systems recovery based on user demand.
D. Untrained service desk personnel may be a cause of security incidents.

Which of the following is MOST important for the effectiveness of an incident response function?

A. Enterprise security management system and forensic tools.
B. Establishing prior contacts with law enforcement
C. Training of all users on when and how to report
D. Automated incident tracking and reporting tools

The BEST way to ensure that frequently encountered incidents are reflected in the user security awareness training program is to include:

A. results of exit interviews
B. previous training sessions.
C. examples of help desk requests.
D. responses to security questionnaires.

The PRIMARY focus of a training curriculum for members of an incident response team should be:

A. specific role training
B. external corporate communication
C. security awareness
D. technology training

Which of the following is a security manager’s FIRST priority after an organization’s critical system has been compromised?

A. Implement improvements to prevent recurrence.
B. Restore the compromised system.
C. Preserve incident-related data.
D. Identify the malware that compromised the system.

Which of the following is MOST important to verify when reviewing the effectiveness of response to an information security incident?

A. Lessons learned have been implemented.
B. Testing has been completed on time.
C. Test results have been properly recorded.
D. Metrics have been captured in a dashboard.