Exam CISM topic 1 question 153 discussion

CISM Review Manual 16th edition. pg. 269. 3. Containment. "After an incident has been identified and confirmed, the IMT is activated and information from the incident handler is shared. The team will conduct a detailed assessment and contact the system owner or business manager of the affected information systems/assets to coordinate further action." Although I personally think D-system administrator should be the 1st to contact but that is CISM. All about manager should do.

A, even though my natural responce would of been D. If this were a production system, where isolating or any action that degrades performance should be the buisness owners call.

D. System administrator When the incident response team identifies a need to isolate a system communicating with a known malicious host, the first priority is to contain the threat to prevent further damage or data loss. The system administrator is the most appropriate stakeholder to contact first in this situation, as they possess the technical knowledge and access rights to quickly isolate the system. Swift action by the system administrator can mitigate the impact of the incident by ensuring that the threat does not spread to other parts of the network or compromise sensitive information. Contacting the business owner (Option A), key customers (Option B), or executive management (Option C) might be necessary as part of the incident response process, especially for communication, impact assessment, and decision-making on further actions. However, these steps typically follow the immediate containment and technical resolution actions, where the system administrator's role is critical.

"An incident response team has determined there is a need to isolate a system" this is very important in understanding this question in my opinion. if they have determined this they gone thru Identification and now they are at containment..who should u call in this step the stakeholders responsible for containing the threat in this instant IT or system admins.

There is nowhere mentioned it is severity 1 issue. Isolate system will stop business, thus must inform BO first. If it is severity 1, C should be the first, then D

It's the Business Owner. If you go to the administrator what do you tell to him? isolate the system? FIRST you go to the business owner, explain the situation, and if he is OK, then you go to the system administrator and isolate it.

I'm not gonna vote, but provide my opinion here: Although it's CISM and we have to think like managers, I'm going with D - System Administrator just because it makes the most sense. I mean, imagine discovering this happening in the middle of the night during holiday season. Are we REALLY going to wait for business owner's response in order to isolate and contain an attack if he's not responding for hours or days on his cell phone or email? Then again, in ISACA world, the first stakeholder you should contact the business owner first.

Obvious answer. This is an incident, first thing that needs to happen is isolate the problem. That is always the first step and will continue to be the first step no matter the impact.

System to isolate 1st

The bo is impacted first

D. The system administrator is responsible for implementing the necessary technical actions to isolate the compromised system and mitigate further damage. They are typically the most directly involved in managing the technical aspects of the system and can take immediate action to disconnect it from the network or take other necessary steps to contain the threat. After isolating the system, the incident response team can then proceed with informing other stakeholders, such as the business owner (A), executive management (C), and potentially key customers (B), as appropriate, depending on the severity and impact of the incident. However, the immediate technical response is the responsibility of the system administrator.

Business owner as he/she will be impacted by this incident.

The business owner

Page 175, Section: "Incident Management and Response" It states: "In an ongoing incident, it is crucial to involve those who can directly intervene and potentially stop or limit damage as quickly as possible. This often means directly involving system administrators who can isolate affected systems, or network engineers who can block malicious traffic."

An enterprise will have an escalation procedure which starts with frontline engineers/SAs. If the BO was 1st on the escalation list, they would never get any sleep. :-) Therefore D is correct. A biz owner likely isn't going to be a sys admin or an engineer for that matter. This is a serious incident and an SA would be able to mitigate it. Granted, someone should also be on a phone call with the BO to let them know the situation, but that's not FIRST. Big companies are also going to have a 24/7 SOC that will see the incident before the BO. There will be SOP's in place (as well as a KB) that instructs the SA as how to handle the incident.

As per my understanding this is Incident; hence Executive Management should be contacted first if any incident occurs. But surprise how come Business Owner as they can't directly reached out by IRT

business Owner