Exam CISM topic 1 question 497 discussion

When informed that customer data has been breached within a third-party vendor's environment, the information security manager should request and verify evidence of the breach (option B) FIRST. It is important to confirm that a breach has actually occurred before taking any further action. Requesting and verifying evidence of the breach can help to confirm the extent of the breach and the types of data that may have been compromised. Once the evidence has been obtained and verified, the information security manager can then take the appropriate next steps, such as notifying the incident response team (option C) and communicating the breach to leadership (option A). Option D, reviewing vendor obligations in the contract, could be useful in understanding the rights and responsibilities of the vendor and the company in the event of a breach, but it should not be the first step taken.

When informed that customer data has been breached within a third-party vendor's environment, an information security manager should FIRST notify the incident response team (Option C). Notifying the incident response team is critical to initiate the organization's incident response plan, which will help to contain the breach and mitigate any potential damage. The incident response team can work with the vendor to determine the scope and impact of the breach, as well as to identify the root cause and any potential vulnerabilities that may exist in the vendor's environment. Once the incident response team has been notified, the information security manager should request and verify evidence of the breach (Option B) to determine the extent of the damage and to identify any compromised data or systems. The information security manager should also review vendor obligations in the contract (Option D) to determine what responsibilities the vendor had in protecting customer data and to identify any potential legal or regulatory implications.

Verify/Validate first, do things after that.

It's a tricky question, but I think the key here is the part that says "within a third-party vendor's environment?". In other words, it didn't happen in the infosec manager's company, but at the third-party vendor to whom the company outsourced some activities. Based on that, the first thing infosec manager should do is ask to see what's the extent of the breach (verify) and them inform incident response team if necessary. So I'm gonna cautiously say it's B, but not 100% on that.

Before doing any action the IS manager needs to verify the incident before activation the incident response team actions : Option (B)

C. Notify the incident response team. Notifying the incident response team is crucial because they are trained to handle data breaches and can take immediate action to assess the situation, contain the breach, and gather the necessary information for further steps. While the other options (A, B, and D) are also important and should be done promptly, involving the incident response team is often the initial action to ensure an effective and coordinated response to the breach.

Option C

C is the correct answer and they will B .

B. Request and verify evidence of the breach.

B. Request and verify evidence of the breach.

tricky question: Assume the notification came from the third party, then Notify Incident Response team would be the correct Order Assume the notification came from a news bulletin, Then validate the Breach occurred would be Correct Question does not Justify which so I would go with Notifying the Incident response team

The first thing an information security manager should do when informed of a customer data breach within a third-party vendor's environment is to initiate an immediate investigation to determine the scope and impact of the breach. This includes verifying the authenticity of the breach, collecting and preserving evidence, containing the breach to prevent further damage, and communicating with relevant parties, such as the vendor, customers, and law enforcement, as appropriate.

at first, confirm the breach.