Which of the following is the MOST effective way to detect information security incidents?

A. Providing regular and up-to-date training for the incident response team
B. Establishing proper policies for response to threats and vulnerabilities
C. Performing regular testing of the incident response program
D. Educating and users on threat awareness and timely reporting

An incident response team has determined there is a need to isolate a system that is communicating with a known malicious host on the Internet. Which of the following stakeholders should be contacted FIRST?

A. Executive management
B. System administrator
C. Key customers
D. The business owner

Which of the following is the MOST important criterion for complete closure of a security incident?

A. Level of potential impact
B. Root-cause analysis and lessons learned
C. Identification of affected resources
D. Documenting and reporting to senior management

An audit has determined that employee use of personal mobile devices to access the company email system is resulting in confidential data leakage. The information security manager’s FIRST course of action should be to:

A. treat the situation as a security incident to determine appropriate response
B. implement a data leakage prevention tool to stem further loss.
C. isolate the mobile devices on the network for further investigation.
D. treat the situation as a new risk and update the security risk register.

An organization experienced a data breach and followed its incident response plan. Later it was discovered that the plan was incomplete, omitting a requirement to report the incident to the relevant authorities. In addition to establishing an updated incident response plan, which of the following would be MOST helpful in preventing a similar occurrence?

A. Attached reporting forms as an addendum to the incident response plan
B. Management approval of the incident reporting process
C. Ongoing evaluation of the incident response plan.
D. Assignment of responsibility for communications.

An employee has just reported the loss of a personal mobile device containing corporate information. Which of the following should the information security manager do FIRST?

A. Disable remote access
B. Initiate a device reset
C. Initiate incident response
D. Conduct a risk assessment

After a server has been attacked, which of the following is the BEST course of action?

A. Conduct a security audit
B. Review vulnerability assessment
C. Isolate the system
D. Initiate incident response

The MOST important reason to use a centralized mechanism to identify information security incidents is to:

A. comply with corporate policies.
B. prevent unauthorized changes to networks.
C. detect threats across environments.
D. detect potential fraud.

Which of the following helps to ensure that the appropriate resources are applied in a timely manner after an incident has occurred?

A. Initiate an incident management log.
B. Define incident response teams.
C. Broadcast an emergency message.
D. Classify the incident.

Which of the following is a MAIN security challenge when conducting a post-incident review related to bring your own device (BYOD) in a mature, diverse organization?

A. Ability to obtain possession of devices
B. Lack of mobile forensics expertise
C. Diversity of operating systems
D. Ability to access devices remotely