Exam CISM topic 1 question 247 discussion

The answer is D, First step is to Contain/Preserve.

Team, the priority is to go back to business! And we can preserve the evidence for future analysis is great, but the business is first. So, the first priority is to be back online!

As an information security manager, restoring the "high profile" system to support business is 1st priority. Preserving incident-related data may take much time that businesses wouldn't tolerate.

Restoring the system would compromise the preservation of data it is D.

come on... first contain/preserve data and later restore..

Before restore you must implement improvements to prevent recurrence. Before implement improvement you must identify the malware that compromised the system. To identify the malware you must use incident relate data. Then, FIRST is D

How is this not C? I am very confused

Wont the first step of Incident Response is Identification ?

As an information security manager, you need to preserve the data to make sure further investigation can be done property. The data might be needed in future to provide as evidence. Fixing the system is something which can be done in parallel by technical team - it's not a job of information security manager!

C - For all technical folks we will choose to do identification and investigations but putting on the business hat (CISM is a business paper) getting the system up and meet business objectives is higher priority.

The FIRST priority for an information security manager after a high-profile system has been compromised is typically to preserve incident-related data. Preserving data is crucial for conducting a thorough forensic investigation to understand the extent of the compromise, identify the root cause, and gather evidence. Preserving the integrity of incident-related data helps ensure that the organization can conduct a proper post-incident analysis, and it may be essential for legal and regulatory purposes. While the other options (A, B, C) are important steps in incident response, preserving incident-related data is foundational to the entire investigation process.

D. Preserve incident-related data. Preserving incident-related data is crucial because it allows for a thorough investigation to determine the scope and impact of the compromise. Without preserving evidence and data related to the incident, it becomes challenging to understand how the breach occurred, what data or systems were affected, and who may have been responsible. This information is essential for making informed decisions about how to respond, recover, and implement improvements to prevent recurrence (option A) effectively. Once the incident-related data is preserved, the manager can then proceed with identifying the malware, restoring the compromised system, and implementing improvements to prevent future incidents.

Serious question. Why is it not B? Don't you have to identify the kind of attack first before doing anything else?

For a reason it's saying high-profile, in order to select C. You need to restore and get back to business ASAP. One day I read an article mentioning it was estimated Amazon will lose 4 million dollars for each 15 minutes when their services are not available, so do you think they tend to wait multiple 15 minutes to just preserve the incident related data? or they would like to restore ASAP?

I like C here, please stop posting ChatGPT or other related AI answers here .

the FIRST priority for an information security manager after a high-profile system has been compromised is to preserve incident-related data. This ensures that crucial evidence is secured and available for analysis, facilitating effective incident response, forensic investigations, and subsequent steps such as system restoration, identification of the malware, and implementing improvements to prevent recurrence.

D. Preserve incident-related data.