A. Escalation procedures.
Escalation procedures typically outline the steps and criteria for involving external parties, such as third-party support providers, in the incident response process. These procedures help determine when it's necessary to seek external expertise or assistance in mitigating and resolving a security incident. This could include scenarios where the incident exceeds the organization's in-house capabilities or expertise. Therefore, escalation procedures are the primary means for authorizing such transfers.
Exactly how I think. The infosec manager can be the person who is to authorize it, but who should it be exactly should be defined in an escalation plan.
A. Escalation procedures.
Escalation procedures typically outline the steps and criteria for involving external parties, such as third-party support providers, in the incident response process. These procedures help determine when it's necessary to seek external expertise or assistance in mitigating and resolving a security incident. This could include scenarios where the incident exceeds the organization's in-house capabilities or expertise. Therefore, escalation procedures are the primary means for authorizing such transfers.
The correct answer is (A) escalation procedures cause the steps are defined here by ISM and other stakeholders.
Rationale:
(B.) the information security manager is incorrect. Because escalation procedures are usually done alongside stakeholders and not just by the infosec manager. This is because the infosec manager may or may not be present. The infosec manager may or may not represent the interest of the business correctly. Even if he could do it well without eh business, if the manager leaves another manager may have a different process entirely. So this leads to inconsistency. Instead, the infosec manager alongside stakeholders should document it in an escalation procedure, and his predecessor/successor review and improve it. So it is instead preferred to have it in a documented process which is (A).
(C.) chain of custody is how you enforce it, but not authorize it. Authorization is by the infosec manager by what has been defined in the escalation procedures.
(D.) disaster recovery plan (DRP) relates to incidents and not necessarily security incidents.
Escalation procedures describe the steps that should be taken to manage and resolve security incidents, including when and how to involve external parties such as third-party support providers. These procedures typically include criteria for escalating incidents, such as severity level or resource constraints, and define the roles and responsibilities of different stakeholders involved in the incident response process.
ISM defines the criteria in the escalations procedures. This is primarily done because the ISM won't always be there to respond. Having it defined also enforces consistency and this is why they are documented in the first place. Thus why (A) is the correct answer.
The information security manager is responsible for overseeing the security of the organization's information systems and data. In the event of an internal security incident, the information security manager has the authority to make decisions about the response to the incident, including the transfer of the incident handling to a third-party support provider.
The information security manager considers factors such as the nature and severity of the incident, the resources and capabilities of the organization's internal security team, and the expertise and resources available from the third-party support provider when making a decision about transferring incident handling.
While escalation procedures, chain of custody, and disaster recovery plan (DRP) may also play a role in the response to a security incident, the primary decision-making authority rests with the information security manager. These other elements provide guidelines and procedures for responding to incidents, but the information security manager is responsible for making the final decision about how the incident will be handled.
I would argue the answer is A because the authorisation itself is DEFINED through the procedures... should the manager agree/consider the current factors is different
Chain of custody is how you enforce it, but that doesn't define when things are authorized. Only what to do once it is authorized.
upvoted 1 times
...
...
Log in to ExamTopics
Sign in:
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.
Upvoting a comment with a selected answer will also increase the vote count towards that answer by one.
So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.
Jess20
1 month agooluchecpoint
9 months, 3 weeks agoPerseus_68
1 year, 1 month agoAlexJacobson
10 months agooluchecpoint
1 year, 2 months agorichck102
1 year, 5 months ago[Removed]
1 year, 4 months agodark_3k03r
1 year, 6 months agobambs
1 year, 7 months agoCarlPTY07
1 year, 8 months agokoala_lay
1 year, 8 months agodark_3k03r
1 year, 6 months agoccKane
1 year, 9 months agokoala_lay
1 year, 8 months agoRowlandmarc
1 year, 8 months agoWladysk
1 year, 9 months agodark_3k03r
1 year, 6 months ago