Exam CISM topic 1 question 55 discussion

the severity of an incident is NOT ONLY defined by its duration

page 288: The escalation process include prioritizing event information and decision process for determining when to alert various groups...

definitely not B A security incident escalation policy defines the procedures for escalating security incidents based on their severity and potential impact. It outlines the specific criteria for determining when to involve various groups within the organization, such as senior management, legal counsel, and external experts. B. A severity-ranking mechanism tied only to the duration of the outage: Outage duration can be a factor in incident severity, but it's not the sole determinant. The policy should consider other factors such as the potential impact on data, systems, and reputation.

A security incident escalation policy typically includes decision criteria that define when and how to escalate the incident to various levels of management or response teams. This includes clear guidelines on the severity, impact, or characteristics of the incident that warrant escalation to different groups within the organization. This helps ensure a timely and appropriate response to security incidents based on their nature and potential impact. While names and telephone numbers of key management personnel (option A) may be included in the policy, it is not the primary component. A severity-ranking mechanism tied only to the duration of the outage (option B) may not capture the full complexity of security incidents. Sample scripts and press releases for statements to the media (option C) are typically part of a communication plan rather than an escalation policy.

While the other options (A, B, and C) can also be important in the context of incident response, they are not as central to the core purpose of an escalation policy. For example: Names and telephone numbers of key management personnel (option A) can be part of an incident response plan but are not specific to escalation criteria. A severity-ranking mechanism tied only to the duration of the outage (option B) may not adequately capture the severity of all types of security incidents, and severity ranking should consider various factors beyond just duration. Sample scripts and press releases for statements to the media (option C) are important for managing communication during incidents but are typically part of communication plans rather than escalation policies.

I work closely with SOC and I believe the answer is D. The question is about " the COMPONENT of a security incident escalation policy". Hence we need to have decision criteria or severity defined under the policy when/what/who/how to escalate. finally

you guys clearly dont know what working in SOC is, Policy wont include names, this would include when and how. or else policy would change as ofter as promotions, terminations, etc policy FIRST needs to define what can be escalated, not who. taking IR plan for example they define what a incident is and when it can be escalated once it has reached a certain level

Before you can escalate, you need to know who to escalate to...

D. Decision criteria for when to alert various groups

A security incident escalation policy is a set of procedures that define how security incidents should be reported, investigated, and resolved. One of the key components of such a policy is decision criteria that outline when to escalate an incident to various groups, such as the incident response team, senior management, or law enforcement agencies.

A. I say A because before you know when to escalate, you need to have the information of those you need to escalate to. For that reason, my answer is A.

you need to know when to escalate

May be you need to know the severity level first then you can follow the alerting criteria

D & A for sure

D. Decision Criteria to know *when* to escalate, which includes alerting relevant stakeholders/executives. Without it, you would not know when to escalate/alert.

severity ranking is important for escalation. alert is not escalation(D).

https://www.xmatters.com/blog/how-to-build-an-escalation-policy-for-effective-incident-management/