CCNA Incident Management Questions

75 of 150 questions · Page 1/2 · Incident Management · Answers revealed

1
MCQmedium

Which of the following is a key reason to have a forensic retainer in place before an incident occurs?

A.To avoid the need for a chain of custody
B.To ensure the firm understands the organization's IT environment
C.To guarantee lower costs
D.To reduce the time needed to engage the firm when an incident occurs
AnswerD

A pre-signed retainer allows immediate deployment without contract delays.

Why this answer

Having a pre-negotiated contract reduces the time to engage forensic experts, which is critical during an incident.

2
MCQhard

An organization has experienced a DDoS attack that is overwhelming its internet-facing services. The incident response team has implemented mitigations, but services remain degraded. The maximum tolerable downtime (MTD) for the affected services is 4 hours, and 3 hours have passed. Which of the following should the incident manager do NEXT?

A.Continue current mitigation efforts and reassess after another hour.
B.Increase the capacity of the DDoS mitigation service.
C.Escalate to the crisis management team to consider activating the disaster recovery plan.
D.Notify customers of a prolonged outage.
AnswerC

This allows for a timely decision to invoke BC/DR before MTD expires.

Why this answer

If an incident cannot be resolved within the MTD, it should transition to BC/DR activation. The decision authority (e.g., CISO or CMT) should declare a disaster.

3
MCQmedium

During a major cybersecurity incident classified as P1, the incident response team has been activated. The crisis management team (CMT) is also convened. Which of the following is the PRIMARY responsibility of the CMT during this incident?

A.Notifying law enforcement and regulatory bodies immediately.
B.Directly managing the technical containment and eradication of the threat.
C.Making strategic decisions, managing communications, and allocating resources.
D.Performing forensic analysis to identify the root cause of the incident.
AnswerC

The CMT provides executive-level oversight and decision-making.

Why this answer

The CMT handles strategic decisions, communication, and resource allocation, while the IR team focuses on technical response.

4
MCQeasy

Which type of incident response exercise involves a facilitated discussion of a hypothetical scenario to review plans and procedures?

A.Full-scale exercise
B.Simulation
C.Drill
D.Tabletop exercise
AnswerD

Tabletop exercises are discussion-based and used to validate plans and procedures.

Why this answer

A tabletop exercise is a discussion-based exercise where team members walk through a scenario to identify strengths and gaps.

5
MCQeasy

Which component of an incident response programme provides detailed step-by-step instructions for handling a specific type of incident, such as ransomware or data breach?

A.Incident response plan
B.Incident response policy
C.Incident response playbook
D.Communication template
AnswerC

Playbooks provide step-by-step guidance for specific incident types.

Why this answer

Playbooks (or runbooks) provide detailed procedures for specific incident types, while the IR plan is a broader document.

6
MCQeasy

An organization's incident response (IR) policy should be approved by which of the following to ensure authority and accountability?

A.The incident response manager
B.The legal counsel
C.The IT director
D.The board of directors or executive management
AnswerD

Senior management approval ensures policy authority and resource commitment.

Why this answer

The IR policy requires senior management approval to demonstrate organizational commitment and allocate necessary resources.

7
MCQeasy

What is the primary purpose of having a pre-established forensic retainer agreement with an external forensics firm?

A.To ensure chain of custody
B.To reduce time to engage during an incident
C.To reduce legal liability
D.To guarantee confidentiality
AnswerB

Having a contract in place speeds up the hiring process.

Why this answer

The primary purpose of a pre-established forensic retainer agreement is to reduce the time to engage during an incident. By having a contract already in place, the organization can bypass procurement and legal review delays, enabling the forensics firm to begin work immediately when an incident occurs, which is critical for preserving volatile evidence and minimizing damage.

Exam trap

The trap here is that candidates often confuse the retainer's purpose with operational controls like chain of custody or legal protections, when in fact the CISM exam emphasizes the retainer's role in reducing response time during incident management.

How to eliminate wrong answers

Option A is wrong because chain of custody is a procedural and documentation requirement, not a contractual one; a retainer agreement does not directly ensure chain of custody—that is achieved through proper evidence handling and logging. Option C is wrong because while a retainer may include liability clauses, its primary purpose is not to reduce legal liability; liability reduction is a secondary benefit, and the main goal is rapid engagement. Option D is wrong because confidentiality is typically addressed via a separate non-disclosure agreement (NDA) or terms within the retainer, but the retainer's primary purpose is not to guarantee confidentiality—it is to pre-authorize and expedite forensic services.

8
Multi-Selecthard

During a major cybersecurity incident, the crisis management team (CMT) is activated. Which THREE roles are typically part of the CMT? (Select THREE.)

Select 3 answers
A.Chief executive officer (CEO)
B.General counsel (GC)
C.Security analyst
D.Incident response manager
E.Chief financial officer (CFO)
AnswersA, B, E

CEO provides executive leadership.

Why this answer

The CEO is correct because as the highest-ranking executive, they provide strategic direction, authorize critical decisions (e.g., public disclosure, resource allocation), and serve as the primary liaison to the board of directors during a major incident. The GC is correct because they manage legal risks, ensure compliance with breach notification laws (e.g., GDPR, CCPA), and oversee communications with regulators and law enforcement. The CFO is correct because they assess financial impacts, approve emergency budgets, and coordinate with insurance carriers for cyber liability claims.

Exam trap

The trap here is that candidates confuse the Incident Response Team (IRT) with the Crisis Management Team (CMT), incorrectly selecting operational roles like security analyst or incident response manager instead of the executive leadership roles that constitute the CMT.

9
MCQmedium

An organization has experienced a ransomware incident that has encrypted critical servers. The incident response team is unable to restore operations within the maximum tolerable downtime (MTD). Which action should be taken next?

A.Notify law enforcement
B.Increase the ransom payment
C.Escalate to activate the business continuity/disaster recovery plan
D.Engage the forensics firm to preserve evidence
AnswerC

BC/DR activation is triggered when MTD is at risk, ensuring continuity of critical functions.

Why this answer

When an incident cannot be resolved within MTD, it escalates to business continuity/disaster recovery activation to restore operations.

10
MCQmedium

As part of post-incident activities, an organization schedules a lessons learned meeting. When should this meeting ideally take place?

A.At the next quarterly board meeting
B.Immediately after the incident is detected
C.Only after all legal proceedings are concluded
D.Within 2 weeks of incident resolution
AnswerD

This timeframe ensures information is still fresh and improvements can be implemented quickly.

Why this answer

Lessons learned meetings should occur within two weeks of incident resolution while details are fresh, to capture accurate feedback and improve the IR plan.

11
MCQmedium

Following containment of a ransomware incident, the incident response team is conducting a root cause analysis. Which method involves repeatedly asking 'why' to drill down to underlying causes?

A.Pareto analysis
B.SWOT analysis
C.5 Whys
D.Fishbone diagram
AnswerC

5 Whys repeatedly asks 'why' to reach root cause.

Why this answer

The 5 Whys technique is a simple root cause analysis method that iteratively asks 'why' to move from symptoms to root causes.

12
MCQeasy

Which of the following incident categories would typically require the involvement of the crisis management team?

A.A P2 high-severity DDoS attack that has been mitigated within a few hours.
B.A P3 medium-severity insider threat involving unauthorized access to a non-critical system.
C.A P4 low-severity phishing email reported by a user.
D.A P1 critical-severity ransomware attack encrypting critical systems.
AnswerD

P1 incidents require executive involvement and CMT activation.

Why this answer

A P1 critical-severity ransomware attack encrypting critical systems requires immediate activation of the crisis management team because it poses an existential threat to business operations, often involving legal, PR, executive, and regulatory stakeholders. The crisis management team handles incidents that exceed the capacity of the incident response team, typically those with high business impact, widespread system compromise, or potential for significant financial/reputational damage.

Exam trap

The trap here is that candidates often confuse incident severity (P1-P4) with the need for crisis management, but CISM emphasizes that crisis management is triggered by business impact and stakeholder involvement, not just technical severity—so a high-severity but quickly mitigated DDoS (Option A) may not require crisis escalation, while a critical ransomware attack (Option D) always does.

How to eliminate wrong answers

Option A is wrong because a P2 high-severity DDoS attack that has been mitigated within a few hours is typically handled by the incident response team using network-layer mitigation techniques (e.g., BGP RTBH, rate-limiting, or scrubbing services) and does not require crisis-level escalation. Option B is wrong because a P3 medium-severity insider threat involving unauthorized access to a non-critical system is a standard incident response task, often investigated by the security operations center (SOC) using log analysis and user behavior analytics (UBA), without needing executive crisis management. Option C is wrong because a P4 low-severity phishing email reported by a user is a routine, low-impact event that is handled through standard security awareness processes and automated email filtering (e.g., SPF, DKIM, DMARC checks), not requiring crisis team involvement.

13
MCQeasy

Which role in the incident response team structure is responsible for coordinating all response activities and making decisions about incident severity classification?

A.Incident response manager
B.Communications lead
C.Security analysts
D.Forensic investigators
AnswerA

The IR manager oversees the entire response and classifies the incident.

Why this answer

The IR manager leads the team, coordinates activities, and classifies incidents based on severity.

14
MCQmedium

An organization's incident response team has contained a data breach. Legal counsel has advised that litigation is likely. Which of the following actions should the team take to preserve evidence?

A.Issue a legal hold and create forensic images of affected systems
B.Immediately wipe affected systems to prevent further data loss
C.Notify the affected individuals as required by law
D.Delete all logs to avoid exposing sensitive information
AnswerA

Legal hold preserves data, and forensic images capture the state for evidence.

Why this answer

When litigation is anticipated, a legal hold must be issued to prevent destruction of relevant evidence, and forensic copies should be made before remediation.

15
MCQhard

An incident response team is handling a supply chain compromise that has affected a critical business process. The estimated recovery time exceeds the maximum tolerable downtime (MTD). What should the incident manager do NEXT?

A.Notify affected customers of the expected delay
B.Continue containment efforts and hope for a faster recovery
C.Escalate to the BC/DR team and the authority who can declare a disaster
D.Shut down the affected system to prevent further impact
AnswerC

When MTD is exceeded, BC/DR must be activated to restore operations.

Why this answer

When MTD is exceeded, the incident escalates to business continuity/disaster recovery activation. The BC/DR decision authority should be notified to declare a disaster and activate recovery plans.

16
Multi-Selectmedium

Which TWO of the following are essential components of an incident response programme that should be established before an incident occurs? (Select TWO.)

Select 2 answers
A.An insurance claim form for cyber incidents
B.A signed retainer agreement with a forensics firm
C.A list of affected customers from the most recent data breach
D.A root cause analysis report from a previous incident
E.An incident response team with assigned roles and responsibilities
AnswersB, E

Having a retainer in place reduces time to engage external forensics.

Why this answer

An IR team with defined roles and a signed retainer with a forensics firm are critical preparatory elements. The IR plan is also prepared, but the question asks for components established before an incident.

17
MCQmedium

A security analyst detects a series of failed login attempts followed by a successful login from an unusual geographic location. The account is a standard user account. Which incident category best describes this scenario?

A.Data breach
B.Supply chain attack
C.Insider threat
D.Account compromise
AnswerD

The pattern of failed logins followed by a success from a new location indicates compromised credentials.

Why this answer

The scenario describes an account compromise where credentials are likely stolen and used to gain unauthorized access.

18
Multi-Selectmedium

Which THREE of the following should be included in an incident communication template?

Select 3 answers
A.Affected systems or data
B.Description of the incident
C.Actions to be taken by recipients
D.Technical indicators of compromise (IoCs)
E.Attribution of the attacker
AnswersA, B, C

Knowing what is affected is crucial for response.

Why this answer

Communication templates should include the incident description, affected parties, and guidance on actions to take. Technical details and attacker attribution are not typically included in templates.

19
MCQmedium

Which of the following is a key objective of sharing threat intelligence, such as indicators of compromise (IoCs), with an Information Sharing and Analysis Center (ISAC)?

A.To document the incident for insurance claims
B.To market the organization's security capabilities
C.To receive timely threat information and contribute to community defense
D.To fulfill regulatory requirements for public disclosure
AnswerC

ISACs facilitate mutual sharing of threat intelligence.

Why this answer

Sharing IoCs helps other organizations detect and defend against similar threats, improving collective security.

20
MCQmedium

During a P1 (critical) security incident, which of the following is the MOST appropriate frequency for providing executive status updates?

A.At the end of the incident
B.Daily briefings
C.Only upon significant changes
D.Hourly situation reports (sitreps)
AnswerD

Hourly sitreps are standard for P1 incidents to ensure timely updates.

Why this answer

For critical incidents, regular and frequent communication is required to keep executives informed.

21
MCQhard

During a data breach investigation, the legal counsel advises the incident response team to ensure that communications with external forensic experts are protected by attorney-client privilege. Which action best preserves this privilege?

A.Using a pre-existing retainer agreement without legal involvement
B.Having the forensic firm report directly to the CISO
C.Having the forensic firm sign a non-disclosure agreement
D.Engaging the forensic firm through legal counsel and ensuring that their work is done at the direction of legal
AnswerD

This approach maintains attorney-client privilege by making the forensic work part of legal advice.

Why this answer

Engaging the forensic firm through legal counsel and having them work under the direction of legal helps protect communications under attorney-client privilege. Direct engagement by the business may waive privilege.

22
MCQmedium

Which post-incident activity involves identifying the technical cause, the process failure that allowed it, and the management/governance failure that permitted the process failure?

A.Lessons learned meeting
B.Incident closure report
C.Root cause analysis (RCA)
D.Threat intelligence sharing
AnswerC

RCA systematically uncovers the technical, process, and management causes.

Why this answer

Root cause analysis (RCA) digs into multiple layers to find underlying issues, often using techniques like 5 Whys or fishbone diagrams.

23
MCQeasy

What is the PRIMARY reason for having an incident response team roster and contact list readily available?

A.To satisfy regulatory compliance requirements.
B.To ensure all team members have the necessary training.
C.To provide a list for auditors to review.
D.To enable quick activation of the incident response team.
AnswerD

Time is critical during an incident; delays in contacting team members can worsen impact.

Why this answer

Rapid activation of the IR team depends on knowing who to contact and their backup.

24
MCQmedium

During a major security incident classified as P1, which of the following is the MOST appropriate communication frequency to the executive team?

A.Daily summary reports
B.Only upon significant changes
C.Hourly situation reports (sitreps)
D.At the end of the incident
AnswerC

Hourly updates are standard for P1 incidents to provide timely information.

Why this answer

For P1 (critical) incidents, hourly situation reports (sitreps) are expected to keep executives informed of rapidly evolving events.

25
Multi-Selectmedium

Which TWO of the following are typical notification deadlines for regulatory reporting of a data breach? (Select two.)

Select 2 answers
A.4 business days (SEC proposed)
B.30 days
C.72 hours (GDPR)
D.7 days
E.24 hours
AnswersA, C

SEC proposed rule requires reporting within 4 business days.

Why this answer

GDPR requires notification within 72 hours. The SEC proposed rule requires notification within 4 business days for material cybersecurity incidents.

26
MCQmedium

Which of the following is the PRIMARY role of the executive sponsor in the incident response team structure?

A.To handle all media inquiries and public relations.
B.To serve as legal counsel and ensure compliance.
C.To provide strategic direction, resources, and decision-making authority.
D.To manage the technical investigation and forensic analysis.
AnswerC

The executive sponsor is a senior leader who enables the IR team.

Why this answer

The executive sponsor provides authority, resources, and strategic direction, and ensures the IR team has the support needed to respond effectively.

27
MCQhard

An organization has just experienced a data breach involving personal data of EU residents. Under GDPR, what is the maximum time frame for notifying the supervisory authority?

A.48 hours
B.7 days
C.24 hours
D.72 hours
AnswerD

GDPR requires notification within 72 hours.

Why this answer

GDPR Article 33 requires notification within 72 hours of becoming aware of the breach.

28
MCQmedium

During a P1 (critical) incident, the incident response manager has been providing hourly situation reports (sitreps) to executives. What is the primary reason for involving legal counsel in these communications?

A.To approve technical containment actions
B.To preserve attorney-client privilege and avoid creating damaging records
C.To coordinate with external forensics firms
D.To ensure compliance with regulatory notification deadlines
AnswerB

Legal counsel helps maintain privilege and prevent statements that could be used against the organization.

Why this answer

Legal counsel involvement helps protect communications under attorney-client privilege and avoids speculation that could create liability.

29
MCQeasy

Which incident severity level requires executive notification and 24/7 response, and has major business impact?

A.P3 - Medium
B.P1 - Critical
C.P2 - High
D.P4 - Low
AnswerB

P1 incidents are critical with major business impact, executive notification, and 24/7 response.

Why this answer

P1 (Critical) incidents have major business impact, require executive notification, and demand a 24/7 response effort.

30
MCQmedium

Which of the following incident types is MOST likely to require activation of the crisis management team (CMT) due to potential regulatory and reputational impact?

A.A P1 data breach involving customer personally identifiable information (PII).
B.A P2 denial-of-service attack that is quickly mitigated.
C.A P4 phishing email reported by a user.
D.A P3 insider threat involving an employee accessing unauthorized files.
AnswerA

High impact data breaches demand strategic decisions and external communication.

Why this answer

A P1 data breach involving customer PII triggers mandatory breach notification laws (e.g., GDPR Article 33, HIPAA Breach Notification Rule) and often requires immediate CMT activation to manage regulatory filings, legal liability, and public relations. The CMT is designed for high-severity incidents with significant business, legal, or reputational consequences, which a P1 breach directly entails.

Exam trap

The trap here is that candidates may confuse technical severity (e.g., a DDoS causing downtime) with business/regulatory impact, failing to recognize that only incidents with legal or reputational fallout (like a PII breach) necessitate CMT activation, not merely high technical severity.

How to eliminate wrong answers

Option B is wrong because a P2 denial-of-service attack that is quickly mitigated typically does not involve data loss or regulatory notification requirements, so it would be handled by the technical incident response team without CMT escalation. Option C is wrong because a P4 phishing email reported by a user is a low-severity, routine event that is usually handled via standard security awareness processes and does not warrant CMT involvement. Option D is wrong because a P3 insider threat involving unauthorized file access, while serious, is typically contained and investigated by the incident response team and HR, and only escalates to the CMT if it leads to a confirmed data breach or regulatory exposure.

31
MCQeasy

Which of the following is the primary reason for conducting a lessons learned meeting after an incident?

A.To document the incident for insurance
B.To update the IR plan and playbooks
C.To satisfy regulatory requirements
D.To assign blame
AnswerB

Lessons learned lead to improvements in plans and procedures.

Why this answer

The lessons learned meeting aims to identify improvements to the incident response process.

32
MCQeasy

Which of the following is the PRIMARY reason for including communication templates in the incident response plan?

A.To reduce the workload on the communications lead.
B.To comply with regulatory requirements for breach notification.
C.To ensure consistent and timely messaging to stakeholders.
D.To avoid legal liability by using approved language.
AnswerC

Templates help deliver clear, pre-approved messages quickly.

Why this answer

Communication templates ensure that notifications are consistent, accurate, and timely during the stress of an incident, reducing the risk of errors or omissions.

33
MCQhard

During a major incident, the crisis management team (CMT) has been activated. Which of the following is the PRIMARY responsibility of the communications lead on the CMT?

A.Coordinating all external and internal communications
B.Authorizing financial expenditures for incident response
C.Directing technical containment efforts
D.Preserving digital evidence for litigation
AnswerA

The communications lead ensures consistent messaging and manages stakeholder communication.

Why this answer

The communications lead manages external and internal messaging, including media and customer notifications.

34
MCQmedium

An organization's incident response plan requires that evidence be preserved for potential litigation. Which of the following actions is MOST critical to ensure the admissibility of digital evidence?

A.Storing evidence in a secure, access-controlled location.
B.Creating forensic images of all affected systems before remediation.
C.Encrypting all evidence files to prevent unauthorized access.
D.Documenting the chain of custody for all evidence collected.
AnswerD

Chain of custody is the foundation for evidence integrity in court.

Why this answer

Admissibility of digital evidence in court hinges on demonstrating that the evidence has not been tampered with from the moment of collection to presentation. The chain of custody is the legally mandated documentation that tracks every person who handled the evidence, the time and date of each transfer, and the purpose of each action. Without a complete and verifiable chain of custody, the opposing counsel can successfully argue that the evidence may have been altered, making it inadmissible regardless of how securely it was stored or imaged.

Exam trap

The trap here is that candidates confuse operational best practices (like creating forensic images or securing evidence) with the legal requirement for admissibility, which is fundamentally about proving an unbroken chain of custody through meticulous documentation.

How to eliminate wrong answers

Option A is wrong because storing evidence in a secure, access-controlled location protects its integrity but does not create the legal record required to prove that integrity in court; a secure location alone cannot rebut allegations of tampering without documented custody transfers. Option B is wrong because creating forensic images before remediation is a best practice for preserving evidence, but the images themselves are useless for litigation if the chain of custody is not documented; the image must be accompanied by a hash (e.g., SHA-256) and a custody log to be admissible. Option C is wrong because encrypting evidence files prevents unauthorized access but introduces a separate admissibility hurdle: if the encryption key is lost or the decryption process cannot be verified, the evidence may be deemed inaccessible or its integrity questioned; encryption does not replace the need for a documented chain of custody.

35
MCQeasy

Which incident severity level is characterized by major business impact, requires executive notification, and demands 24/7 response?

A.P3 — Medium
B.P2 — High
C.P4 — Low
D.P1 — Critical
AnswerD

P1 incidents have major business impact, executive notification, and 24/7 response.

Why this answer

P1 (critical) incidents have the highest severity and require immediate, around-the-clock response.

36
MCQmedium

After a P2 (high) incident is resolved, the incident response team conducts a lessons learned meeting. Which timeframe is most appropriate for holding this meeting?

A.Immediately after containment
B.Only after the root cause analysis is completed
C.Within 2 weeks of incident resolution
D.Within 30 days of incident resolution
AnswerC

This timeframe balances freshness of details with time to gather data.

Why this answer

Industry best practices and many frameworks recommend holding a lessons learned meeting within two weeks of incident resolution while details are still fresh.

37
MCQeasy

Which of the following is the PRIMARY purpose of an incident response plan?

A.To document vendor contacts only
B.To assign blame for security failures
C.To replace the need for incident response training
D.To provide a step-by-step guide for responding to incidents
AnswerD

The plan outlines roles, procedures, and communication to enable effective response.

Why this answer

The IR plan provides a structured approach to manage incidents, minimizing impact and ensuring efficient response.

38
MCQhard

An organization has experienced a ransomware incident that has encrypted critical servers. The incident response team is working on containment. Which communication should the incident manager prioritize FIRST?

A.Notify the executive sponsor, legal counsel, and communications lead
B.Contact the organization's cyber insurance provider
C.Notify law enforcement
D.Issue a press release
AnswerA

These key stakeholders need to be informed immediately to activate crisis management and legal protocols.

Why this answer

Immediate containment and notification of key internal stakeholders (executive sponsor, legal, communications) is the first priority to coordinate response and manage legal/regulatory obligations.

39
Multi-Selecthard

Which THREE of the following are key activities during the post-incident phase of incident management? (Select THREE.)

Select 3 answers
A.Updating incident response plans and playbooks based on lessons learned
B.Activating the disaster recovery site
C.Conducting root cause analysis using techniques like 5 Whys
D.Sharing indicators of compromise with relevant ISACs
E.Implementing immediate containment measures
AnswersA, C, D

Plans and playbooks should be updated to reflect improvements.

Why this answer

Root cause analysis, updating the IR plan/playbooks, and sharing IoCs with ISACs are all post-incident activities. Activating the DR site occurs during the response, not post-incident.

40
MCQmedium

After a data breach incident, the incident response team must preserve evidence for potential litigation. Which of the following actions should be taken FIRST?

A.Update the IR plan
B.Begin remediation
C.Notify law enforcement
D.Issue a legal hold
AnswerD

A legal hold prevents destruction of evidence.

Why this answer

Issuing a legal hold ensures that all relevant data is preserved and not deleted, which is the first step in evidence preservation.

41
MCQeasy

Which of the following is the PRIMARY purpose of having a pre-established contract with a digital forensics firm before an incident occurs?

A.To ensure attorney-client privilege is automatically applied
B.To ensure the firm is available 24/7
C.To guarantee a discounted rate
D.To reduce the time required to engage the firm during an incident
AnswerD

A retainer speeds up the contracting process.

Why this answer

The primary purpose of a pre-established contract with a digital forensics firm is to eliminate procurement delays during an incident. When an incident occurs, time is critical; having a signed contract in place allows the firm to be engaged immediately without waiting for legal or administrative approvals, which directly supports the incident response goal of minimizing damage and preserving evidence.

Exam trap

The trap here is that candidates confuse a secondary benefit (like cost savings or availability) with the primary operational goal of reducing engagement time, which is the core driver in incident management scenarios.

How to eliminate wrong answers

Option A is wrong because attorney-client privilege is not automatically applied by a contract; it requires specific legal agreements and actions (e.g., engaging counsel to direct the work under privilege rules), and a pre-established contract alone does not guarantee this protection. Option B is wrong while availability is a benefit, it is not the primary purpose; 24/7 availability can be arranged without a pre-established contract, and the core issue is reducing engagement time, not just availability. Option C is wrong because discounted rates are a secondary commercial benefit, not the primary purpose; the main driver is operational efficiency during an incident, not cost savings.

42
MCQeasy

Which document outlines the overall strategy, roles, and responsibilities for incident response across the organization?

A.Communication plan
B.Incident response plan
C.Incident response policy
D.Incident response playbook
AnswerB

The plan defines the strategy, roles, and responsibilities.

Why this answer

The incident response plan provides the high-level strategy and coordination framework.

43
MCQeasy

What is the PRIMARY purpose of conducting a lessons learned meeting after an incident?

A.To determine if legal action is needed
B.To calculate the financial impact of the incident
C.To assign disciplinary actions
D.To update the incident response plan and procedures
AnswerD

The meeting generates recommendations to enhance the IR program.

Why this answer

Lessons learned aims to improve future response by identifying what worked and what didn't.

44
MCQeasy

Which component of the incident response programme provides step-by-step technical instructions for handling a specific type of security incident?

A.Incident response plan
B.Incident response policy
C.Incident response playbook
D.Communication templates
AnswerC

Playbooks contain specific, step-by-step technical procedures for each incident type.

Why this answer

C is correct because an incident response playbook provides detailed, step-by-step technical instructions for handling a specific type of security incident (e.g., ransomware, DDoS, phishing). Unlike the higher-level incident response plan, a playbook contains precise technical actions, such as commands to isolate a host, indicators of compromise (IOCs) to block, and escalation criteria tailored to a particular threat.

Exam trap

The trap here is that candidates confuse the incident response plan (strategic, high-level) with the playbook (tactical, incident-specific), often selecting the plan because it sounds like the most comprehensive document, but the question explicitly asks for 'step-by-step technical instructions' which only the playbook provides.

How to eliminate wrong answers

Option A is wrong because the incident response plan is a strategic document that outlines the overall process, roles, and coordination for incident management, not the granular technical steps for a specific incident type. Option B is wrong because the incident response policy defines high-level management intent, compliance requirements, and governance, not operational technical procedures. Option D is wrong because communication templates provide pre-formatted messages for notifying stakeholders (e.g., legal, PR, customers) but do not contain the technical steps needed to contain, eradicate, or recover from a security incident.

45
MCQmedium

During a P1 incident, the incident response team identifies that the root cause is a misconfigured firewall. According to best practices, which of the following should be the PRIMARY focus of the root cause analysis?

A.Patching the firewall immediately
B.Conducting a lessons learned meeting immediately
C.Determining why the firewall was misconfigured and why the change management process failed
D.Restoring the firewall from backup
AnswerC

This addresses the underlying process and management failures.

Why this answer

Root cause analysis should identify not only the technical cause but also the process and management failures that allowed the misconfiguration to occur.

46
MCQhard

Following a ransomware incident where data was encrypted and exfiltrated, the root cause analysis reveals that the initial access occurred through a phishing email that bypassed email filters due to a misconfiguration. The misconfiguration was not identified because the security team lacked a formal process to review firewall rule changes. Which of the following is the most appropriate management/governance failure to document in the lessons learned?

A.Employees should have been trained to recognize phishing emails.
B.The email filter vendor did not provide adequate support.
C.The security team did not have a change management process for security control configurations.
D.The incident response plan was not followed during the incident.
AnswerC

A lack of change management for security controls is a governance failure that allowed the misconfiguration to persist.

Why this answer

The technical cause is the phishing email, the process failure is the lack of review of email filter configurations, and the management/governance failure is the absence of a change management process for security controls.

47
MCQhard

An organization is engaging an external forensics firm to investigate a suspected data breach. Which of the following is the most important step to ensure that evidence remains admissible in legal proceedings?

A.Ensuring the forensics firm has signed a non-disclosure agreement
B.Negotiating a fixed price for the investigation
C.Requiring the forensics firm to report findings directly to the CEO
D.Issuing a legal hold and making forensic copies of affected systems before remediation
AnswerD

Legal hold preserves evidence, and forensic copies ensure the original evidence is untouched.

Why this answer

Preserving the chain of custody and ensuring forensic copies are made before remediation is critical for evidence admissibility. Legal hold ensures that relevant data is preserved.

48
MCQhard

A security analyst discovers that an employee's credentials were used to access a sensitive database containing customer PII. The analyst immediately disables the account and begins remediation. Which incident category best describes this scenario?

A.Data breach
B.Physical security
C.Account compromise
D.Insider threat
AnswerC

The key action is unauthorized use of credentials, which is account compromise.

Why this answer

Option C is correct because the incident involves unauthorized use of legitimate credentials to access a sensitive database, which is the defining characteristic of an account compromise. The immediate disabling of the account and remediation aligns with standard incident response procedures for credential theft, where the attacker has gained authenticated access without authorization. This is distinct from a data breach, which focuses on the exfiltration or exposure of data, not the method of access.

Exam trap

The trap here is that candidates confuse the method of access (account compromise) with the outcome (data breach), but CISM distinguishes incidents by the root cause and attack vector, not just the potential impact.

How to eliminate wrong answers

Option A is wrong because a data breach specifically refers to the confirmed exfiltration, loss, or unauthorized disclosure of data, whereas this scenario only describes unauthorized access using compromised credentials—data may not have been extracted or exposed. Option B is wrong because physical security incidents involve tangible assets like unauthorized entry to a facility, theft of hardware, or tampering with physical controls, not the use of digital credentials to access a database. Option D is wrong because an insider threat requires the actor to be an employee, contractor, or trusted party with legitimate access who intentionally or negligently causes harm, but this scenario does not specify the identity of the attacker—it could be an external threat actor using stolen credentials.

49
MCQhard

A security analyst suspects a credential compromise involving an executive's account. The analyst has isolated the system. What should be the NEXT step according to best practices?

A.Create a forensic image of the affected system
B.Block the account in Active Directory
C.Notify the executive and ask them to change their password
D.Reset the executive's password immediately
AnswerA

Forensic imaging preserves evidence before any changes are made.

Why this answer

Before any remediation, preserving evidence (forensic image) is critical for investigation and potential legal action. Then notify the incident manager to follow the playbook.

50
MCQhard

During a forensic investigation, the external forensics firm discovers evidence that may indicate criminal activity. The incident manager wants to ensure attorney-client privilege is maintained. What should be done?

A.Share evidence directly with law enforcement
B.Involve legal counsel to manage privilege
C.Ignore privilege to speed up investigation
D.Publicly disclose the evidence
AnswerB

Legal counsel can direct the investigation to preserve privilege.

Why this answer

Involving legal counsel is essential to establish and preserve attorney-client privilege over the forensic investigation. Legal counsel can direct the scope of the investigation, issue a 'Kovel letter' to engage the external forensics firm as an agent of the attorney, and ensure that all communications and findings are protected under the work-product doctrine. Without this step, any evidence of criminal activity could be deemed discoverable and waive privilege, potentially compromising the organization's legal defense.

Exam trap

Cisco often tests the misconception that speed or direct law enforcement cooperation is the priority, but the trap here is that preserving attorney-client privilege requires legal counsel to be involved from the outset, not after evidence is already shared.

How to eliminate wrong answers

Option A is wrong because sharing evidence directly with law enforcement without legal counsel's review typically waives attorney-client privilege and may violate data privacy regulations (e.g., GDPR, HIPAA) by prematurely disclosing protected information. Option C is wrong because ignoring privilege to speed up the investigation destroys the legal protection of the entire forensic work product, making all findings admissible in court against the organization and exposing it to liability. Option D is wrong because publicly disclosing evidence of criminal activity not only waives privilege but also violates confidentiality agreements, damages reputation, and may obstruct justice by tipping off suspects.

51
MCQmedium

An organization has just experienced a P1 incident. Which of the following communication steps should occur FIRST?

A.Inform customers
B.Notify law enforcement
C.Issue a media statement
D.Notify executive leadership
AnswerD

Executives need immediate awareness to make decisions.

Why this answer

Internal communication, especially to executives, is typically the first priority to ensure leadership is informed.

52
Multi-Selecteasy

Which THREE of the following are typical roles in an incident response team?

Select 3 answers
A.Human resources manager
B.Security analyst
C.Chief executive officer (CEO)
D.Forensic investigator
E.Legal counsel
AnswersB, D, E

Analysts are key IR team members.

Why this answer

The IR team includes security analysts, forensic investigators, and legal counsel; the CMT includes executives like CEO; HR is not a standard IR role.

53
MCQmedium

During a major incident, the crisis management team (CMT) has been activated. Which of the following is typically NOT a member of the CMT?

A.Security analyst
B.General counsel
C.Chief information security officer
D.CEO
AnswerA

Security analysts are on the IR team, not the CMT.

Why this answer

The CMT includes senior executives like CEO, CFO, CISO, GC, and Communications; a security analyst is part of the incident response team, not the CMT.

54
MCQhard

A company experiences a DDoS attack that overwhelms its internet-facing services. The incident response team implements mitigation measures. During which phase of incident response is it most appropriate to collect and preserve evidence for potential legal action?

A.During containment, eradication, and recovery
B.During preparation
C.During detection and analysis
D.During post-incident activity
AnswerA

Evidence preservation should be done before or during containment and recovery to ensure admissibility.

Why this answer

Evidence collection should occur during containment, eradication, and recovery, but ideally before remediation to preserve forensic data. In a DDoS, logs and traffic captures should be preserved early.

55
MCQmedium

After a DDoS attack, the incident response team determines that the incident cannot be resolved within the maximum tolerable downtime (MTD). According to best practices, what should happen next?

A.Notify customers and shut down operations.
B.Escalate to the business continuity and disaster recovery teams.
C.Continue current response efforts and hope for the best.
D.Declare the incident as a disaster immediately without further analysis.
AnswerB

BC/DR activation ensures continuity of critical business functions.

Why this answer

If MTD cannot be met, business continuity or disaster recovery plans should be activated.

56
MCQmedium

Under the proposed SEC rules for cybersecurity incident disclosure, what is the timeframe for reporting a material cybersecurity incident?

A.Within 4 business days
B.Within 7 calendar days
C.Within 72 hours
D.Within 24 hours
AnswerA

The proposed SEC rule requires disclosure within 4 business days of determining materiality.

Why this answer

The proposed SEC rules require reporting within 4 business days for material cybersecurity incidents. GDPR requires 72 hours for personal data breaches.

57
Multi-Selecteasy

An incident response team is creating playbooks for different incident types. Which TWO incident types should have a dedicated playbook? (Select TWO.)

Select 2 answers
A.Ransomware
B.Password expiration
C.Data breach
D.Software update failure
E.Phishing simulation
AnswersA, C

Ransomware has unique containment and recovery steps.

Why this answer

Ransomware and data breach are common incident types that require specific procedures.

58
MCQmedium

Which of the following is the primary purpose of conducting a root cause analysis (RCA) after a security incident?

A.To identify the technical vulnerability that was exploited
B.To determine process and governance failures that allowed the incident to occur
C.To satisfy regulatory reporting requirements
D.To assign blame to responsible individuals
AnswerB

RCA looks beyond technical causes to process and management failures.

Why this answer

RCA aims to identify underlying causes to prevent recurrence. While it may involve understanding the technical cause, the ultimate goal is to improve processes and controls.

59
MCQeasy

Which incident category involves unauthorized access to systems or data by an individual within the organization?

A.DDoS
B.Data breach
C.Ransomware
D.Insider threat
AnswerD

Insider threat is the correct category for malicious or accidental actions by insiders.

Why this answer

Insider threat incidents are caused by employees, contractors, or other trusted insiders.

60
MCQeasy

Which incident severity level requires executive notification and a 24/7 response?

A.P3 — Medium
B.P1 — Critical
C.P4 — Low
D.P2 — High
AnswerB

P1 incidents require 24/7 response and executive notification.

Why this answer

P1 — Critical incidents, such as a complete system outage or data breach, require immediate executive notification and a 24/7 response because they pose an imminent threat to business operations, legal compliance, or data integrity. This severity level triggers the highest escalation path, often involving the CEO, CISO, and legal counsel, with round-the-clock resource allocation to contain and remediate the issue.

Exam trap

The trap here is that candidates often confuse P2 (High) with P1 (Critical) because both involve significant business impact, but only P1 mandates executive notification and 24/7 response, as P2 incidents are typically managed by the incident response team without C-suite involvement unless they escalate.

How to eliminate wrong answers

Option A is wrong because P3 — Medium incidents, such as localized performance degradation, are handled during normal business hours and do not require executive notification or 24/7 response. Option C is wrong because P4 — Low incidents, like minor user errors or cosmetic issues, are typically logged for routine resolution and never trigger executive escalation. Option D is wrong because P2 — High incidents, such as a critical application being slow for many users, may require after-hours response but do not mandate executive notification unless they escalate to P1.

61
MCQeasy

Which incident severity level requires executive notification and a 24/7 response?

A.P2 — High
B.P3 — Medium
C.P1 — Critical
D.P4 — Low
AnswerC

P1 incidents are critical with major business impact, requiring executive notification and 24/7 response.

Why this answer

P1 (critical) incidents have major business impact and require immediate executive notification and round-the-clock response.

62
MCQhard

Following a major security incident, the lessons learned meeting is scheduled. Which of the following outcomes is MOST important to ensure the effectiveness of future incident response?

A.Conducting a new risk assessment
B.Creating a detailed report for senior management
C.Updating the incident response plan and playbooks based on findings
D.Assigning blame to responsible parties
AnswerC

Continuous improvement is key to effective IR.

Why this answer

The primary outcome of a lessons learned meeting is to identify improvements and update the IR plan, not just document or blame.

63
MCQmedium

During a data breach investigation, the incident response team discovers that a backup was encrypted by ransomware. The team needs to determine the sequence of events leading to the encryption. Which of the following documentation is MOST critical to preserve for potential litigation?

A.The communication logs between team members
B.The chain of custody for the backup media
C.The forensic tools used in the investigation
D.The incident response plan version used during the incident
AnswerB

Chain of custody ensures evidence integrity.

Why this answer

Chain of custody documentation is essential to prove the integrity and admissibility of digital evidence in court.

64
MCQeasy

In the incident response team structure, who is typically responsible for coordinating communication with external stakeholders such as customers and the media?

A.Legal counsel
B.Communications lead
C.Incident response manager
D.Executive sponsor
AnswerB

This role is dedicated to managing communications.

Why this answer

The communications lead handles external messaging to ensure consistency and accuracy.

65
MCQeasy

Which component of an incident response program is most likely to include step-by-step technical actions for addressing a specific type of security incident?

A.Incident response playbook
B.Communication templates
C.Incident response policy
D.Incident response plan
AnswerA

Playbooks contain detailed, step-by-step procedures for specific incident types.

Why this answer

An incident response playbook provides detailed, step-by-step technical procedures for handling specific incident types (e.g., ransomware, DDoS, phishing). Unlike higher-level documents, playbooks contain actionable commands, tool-specific instructions, and decision trees that guide responders through containment, eradication, and recovery. This granularity ensures consistent and efficient execution during an active security event.

Exam trap

Cisco often tests the distinction between a plan (strategic, high-level) and a playbook (tactical, step-by-step), causing candidates to mistakenly choose the incident response plan because it sounds more comprehensive.

How to eliminate wrong answers

Option B (Communication templates) is wrong because they focus on predefined messaging for stakeholders (e.g., customers, regulators), not on technical remediation steps. Option C (Incident response policy) is wrong because it defines high-level governance, roles, and compliance requirements, not the tactical actions for a specific incident type. Option D (Incident response plan) is wrong because it outlines the overall organizational approach, escalation paths, and coordination procedures, but lacks the detailed, incident-specific technical steps found in a playbook.

66
MCQmedium

An organization is updating its incident response plan after a major incident. Which post-incident activity should be performed to ensure the plan reflects lessons learned?

A.Updating the IR plan and playbooks based on lessons learned
B.Sharing indicators of compromise with an ISAC
C.Revising the IR policy
D.Conducting a tabletop exercise
AnswerA

Directly incorporating lessons learned into the plan is essential.

Why this answer

Updating the IR plan and playbooks based on lessons learned is the definitive post-incident activity that directly incorporates findings from the after-action review into the operational documentation. This ensures the plan reflects actual gaps or improvements identified during the incident, making it actionable for future events. Without this update, the plan remains static and fails to evolve with the organization's threat landscape.

Exam trap

The trap here is that candidates confuse 'revising the IR policy' (a high-level governance document) with 'updating the IR plan and playbooks' (the operational, detailed documentation that directly incorporates lessons learned), leading them to choose the broader, less actionable option.

How to eliminate wrong answers

Option B is wrong because sharing indicators of compromise with an ISAC is a threat intelligence sharing activity that supports broader community defense, not a post-incident activity to update the organization's own IR plan. Option C is wrong because revising the IR policy is a higher-level governance change that typically occurs less frequently and is not the immediate step for capturing specific operational lessons learned from a single incident. Option D is wrong because conducting a tabletop exercise is a proactive testing activity used to validate the plan, not a post-incident activity to document and apply lessons learned from a real incident.

67
MCQeasy

Which component of an incident response programme provides detailed step-by-step instructions for handling a specific type of incident?

A.Incident response playbook
B.Incident response policy
C.Incident response plan
D.Communication templates
AnswerA

Playbooks provide detailed procedures tailored to each incident type, such as ransomware or data breach.

Why this answer

Playbooks are specific to incident types (e.g., ransomware) and provide step-by-step guidance, whereas the IR plan is a high-level document and policy sets overall intent.

68
MCQhard

During a P1 incident involving a ransomware attack, the crisis management team has been activated. The communications lead is drafting an all-staff internal communication. Which of the following should be INCLUDED in this communication?

A.Names of individuals suspected of causing the incident.
B.Details of the attack vector and affected systems.
C.Instructions for employees to avoid connecting to the network until further notice.
D.Estimated time to full recovery.
AnswerC

This provides actionable guidance to mitigate further spread.

Why this answer

Internal communications during an incident should provide clear guidance to employees on actions they need to take, such as not connecting devices, while avoiding speculation or blame.

69
MCQmedium

During a P1 incident, the incident response manager is preparing an executive sitrep. Which of the following should be included to preserve legal privilege?

A.An estimated financial impact
B.A detailed technical analysis of the attack vector
C.A statement that the sitrep is prepared under the direction of legal counsel
D.Names of the individuals involved in the response
AnswerC

This helps assert attorney-client privilege.

Why this answer

Involving legal counsel in communications can help preserve attorney-client privilege. The sitrep should avoid speculation and include legal counsel input.

70
MCQmedium

During a P1 (critical) incident involving a ransomware attack that has encrypted critical systems, the incident manager needs to provide updates to executives. What is the recommended frequency for situation reports (sitreps)?

A.Hourly
B.Only at milestone events
C.Every 4 hours
D.Daily
AnswerA

Hourly sitreps are standard for P1 incidents to provide timely updates.

Why this answer

For P1 incidents, hourly sitreps keep executives informed of rapidly evolving situations.

71
MCQhard

An organization is required to report a material cybersecurity incident to the SEC within 4 business days (proposed rule). However, the incident is still under investigation. What is the BEST course of action?

A.File a report with the information available and provide updates as the investigation progresses.
B.Request an extension from the SEC because the investigation is ongoing.
C.Delay reporting until the investigation is complete to ensure accuracy.
D.Report the incident only if materiality is confirmed at the end of the investigation.
AnswerA

This complies with the deadline while managing accuracy.

Why this answer

Regulatory deadlines must be met even if information is incomplete; disclose what is known and update later.

72
MCQmedium

An organization's incident response team has contained a ransomware incident. What is the NEXT step according to the incident management program?

A.Eradicate the malware and restore systems
B.Perform root cause analysis
C.Conduct a lessons learned meeting
D.Notify regulatory authorities
AnswerA

Eradication and recovery follow containment in the incident response lifecycle.

Why this answer

After containment, the next priority is eradication of the threat to remove all traces of the malware and restore systems securely.

73
MCQmedium

In the context of incident management, which of the following is the PRIMARY purpose of conducting lessons learned meetings within two weeks of incident resolution?

A.To update the incident response plan and playbooks based on findings.
B.To provide a final report to regulators and law enforcement.
C.To assign blame for the incident and take disciplinary action.
D.To calculate the total financial loss from the incident.
AnswerA

Continuous improvement of the IR program is key.

Why this answer

The main goal is to improve future incident response by identifying what worked and what didn't.

74
Multi-Selecthard

Which TWO of the following are incident categories in an incident management programme?

Select 2 answers
A.Insider threat
B.Theft
C.Ransomware
D.Vulnerability
E.Phishing
AnswersA, C

Insider threat is a specific incident category.

Why this answer

Ransomware and insider threat are defined incident categories; phishing is a technique, not a category; vulnerability is a condition; theft is too broad.

75
MCQmedium

An organization has experienced a ransomware attack that has encrypted critical servers and is causing major business disruption. According to incident severity levels, which priority should this incident be assigned?

A.P2 — High
B.P4 — Low
C.P1 — Critical
D.P3 — Medium
AnswerC

Correct. P1 incidents have major business impact and require immediate 24/7 response and executive notification.

Why this answer

A ransomware attack with major business impact is a critical incident (P1), requiring executive notification and 24/7 response.

Page 1 of 2 · 150 questions totalNext →

Ready to test yourself?

Try a timed practice session using only Incident Management questions.