My first answer was C but… from CISM Review Manual 16th Edition: Containment—After an incident has been identified
and confirmed, the IMT is activated and information
from the incident handler is shared. The team will
conduct a detailed assessment and contact the
system owner or business manager of the affected
information systems/assets to coordinate further
action. The action taken in this phase is to limit the
exposure. Activities in this phase include:
Activating the IMT/IRT to contain the incident
Notifying appropriate stakeholders affected by
the incident
Obtaining agreement on actions taken that may
affect availability of a service or risk of the
containment process
The Best answer remaining is C: because . notifying the relevant senior management personnel according to the organization's pre-defined escalation policy, providing details about the incident's nature, impact, and current response actions being taken. After the incident that has been verified, the security manager should "contain" the incident by isolating compromised systems, networks, or accounts to prevent further damage and preserve evidence, then move on to eradication and recovery phases to eliminate the threat and restore normal operations.
You need to contact the right people in order to see how you can contain. What if it's a production system that cannot be isolated or similar? First ask then act
If they had said what does an Information security manager do it would be to escalate to stakeholders but it says what would you do after the incident has been verified..i think it clearly is testing your awareness of the incident response process in this instance specifically. my opinion tho.
Although you do have to wear you "manager hat" for this exam, I'm gonna go with C here, as it seems to me that the question is basically asking about the steps/phases of incident response. The question explicitly says that you have identified and confirmed the incident taking place giving you the initial phase of IR and asking "what now?". Well, the next step is to contain it and stop it from doing further damage and only then you inform the appropriate people.
Note that question is quite vague when defining the incident - we don't know what type of incident it is (is it a ransomware, is someone breaking AUP by taking photos inside the secure environment, etc). So that's why it is very tempting to select B. Again, going with C, but not 100% sure.
I think a common issue is people are thinking in technical terms. We have to think as a manager. The manager isn't stopping anything, they're directing people under them to do their job.
So I would say B is correct
I thought B as well, but what if there was an incident confirmed in a credit card database, first step is to notify the data owner. And incident doesn't mean attack, there may be nothing to contain.
there is always containment after an incident t
his involves taking swift action to stop the attack, limit its spread, and mitigate its impact on the organization's systems, data, and operations.
C. Prevent the incident from creating further damage to the organization.
While all the options listed are important, preventing further damage is the top priority. Once the incident has been confirmed, it's crucial to take immediate steps to contain and mitigate the threat to minimize any additional harm to the organization's systems, data, and reputation. After containment and mitigation efforts are underway, you can then proceed with the other steps, such as notifying law enforcement, informing key stakeholders, and conducting a forensic investigation to determine the root cause.
Response B attending that the escalation process and communicated information allow the key stakeholders to assess the consequences of a containment on their operations. Otherwise response C is better.
The first phase after an incident has been detected is containment. Informing the required stakeholders according to the escalation procedures comes next.
On similar questions, when having a different phrasing for the general "incident" and stating explicitly "ransomware" the obvious answer was to contain the incident and prevent the incident from spreading
A voting comment increases the vote count for the chosen answer by one.
Upvoting a comment with a selected answer will also increase the vote count towards that answer by one.
So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.
trev0r
Highly Voted 2 years, 1 month ago[Removed]
1 year, 4 months agoBan12345
9 months, 4 weeks agoZiggybooboo
2 years agoAgamennore
Highly Voted 1 year, 2 months ago5fd6335
Most Recent 2 weeks, 5 days agoMarcelus1714
8 months, 2 weeks agoe891cd1
8 months, 4 weeks agoAlexJacobson
10 months agolearntstuff
11 months, 1 week agoCyberbug2021
12 months ago[Removed]
1 year agoPerseus_68
1 year, 1 month agoe891cd1
8 months, 4 weeks agooluchecpoint
1 year, 2 months agotodush
1 year, 3 months agoDavoA
1 year, 3 months agoAndreu
1 year, 4 months agoMonkey2173
1 year, 5 months agoWeldy_B
1 year, 5 months agorichck102
1 year, 5 months ago