CCNA Incident Management Questions

75 of 150 questions · Page 2/2 · Incident Management · Answers revealed

76
MCQmedium

When should an incident response transition to business continuity and disaster recovery (BC/DR) activation?

A.When the incident cannot be resolved within the maximum tolerable downtime (MTD)
B.Immediately upon detection of any incident
C.Only after the incident is fully contained
D.When the incident exceeds the recovery time objective (RTO) but is still within MTD
AnswerA

If MTD cannot be met, BC/DR plans are triggered to restore operations.

Why this answer

BC/DR is activated when the incident cannot be resolved within the maximum tolerable downtime (MTD).

77
MCQhard

After a supply chain attack, the incident response team identifies that a third-party vendor's compromised credentials were used to access the organization's network. Which incident category should this be classified under?

A.Insider threat
B.Account compromise
C.Supply chain
D.DDoS
AnswerC

Incidents originating from a third-party vendor's environment are classified as supply chain incidents.

Why this answer

Supply chain incidents involve attacks through third-party vendors or partners, even if the initial vector is credential compromise.

78
Multi-Selecthard

Which TWO of the following are key considerations when managing an external forensics firm during an incident? (Select TWO)

Select 2 answers
A.Allowing the firm to make independent decisions on containment
B.Having the firm report directly to the media
C.Maintaining chain of custody for all evidence
D.Defining the scope of work and evidence handling procedures
E.Ensuring the firm uses only proprietary tools
AnswersC, D

Chain of custody ensures evidence integrity and admissibility.

Why this answer

Managing external forensics involves defining scope, ensuring proper evidence handling and chain of custody, maintaining confidentiality, and preserving attorney-client privilege.

79
MCQmedium

An organization's incident response plan includes playbooks for different incident types. Which playbook should be used for an incident involving unauthorized access to a user's account due to phishing?

A.Data breach playbook
B.Ransomware playbook
C.Credential compromise playbook
D.Insider threat playbook
AnswerC

Credential compromise covers phishing, password spraying, and account takeover.

Why this answer

Credential compromise incidents, such as account takeover via phishing, are handled by the credential compromise playbook.

80
MCQhard

During a data breach investigation, an organization engages an external forensics firm. To preserve attorney-client privilege, which of the following is the BEST practice?

A.Engage the forensics firm under the direction of legal counsel.
B.Have the forensics firm work independently to maintain objectivity.
C.Ensure the forensics firm signs a non-disclosure agreement only.
D.Have the forensics firm report directly to the CISO.
AnswerA

This helps ensure that findings are covered by attorney-client privilege.

Why this answer

Engaging the forensics firm under the direction of legal counsel is the best practice because it extends attorney-client privilege to the investigation. When counsel directs the work, communications and findings are protected as work product, preventing disclosure in litigation. This is a foundational principle in incident response legal strategy.

Exam trap

The trap here is that candidates confuse confidentiality (NDA) with legal privilege, or assume operational independence (reporting to CISO) is acceptable, when only attorney-directed engagement preserves privilege under evidentiary rules.

How to eliminate wrong answers

Option B is wrong because having the forensics firm work independently to maintain objectivity would break the privileged relationship; independent work without legal direction creates discoverable evidence. Option C is wrong because a non-disclosure agreement only protects confidentiality, not legal privilege; it does not shield the investigation from being subpoenaed. Option D is wrong because having the forensics firm report directly to the CISO bypasses legal counsel, making the investigation subject to discovery as ordinary business records.

81
MCQmedium

An organization is updating its incident response playbook after a ransomware attack. Which of the following should be included as a key step in the ransomware playbook?

A.Reboot all servers to clear the ransomware
B.Immediately pay the ransom demand
C.Isolate affected systems from the network
D.Notify all customers immediately
AnswerC

Isolation prevents further encryption and spread of ransomware.

Why this answer

Ransomware playbooks should include isolating infected systems to prevent spread, as containment is a priority.

82
Multi-Selectmedium

Which TWO of the following are required components of an incident response programme according to best practices? (Select two.)

Select 2 answers
A.IR team roster
B.Incident response policy
C.Incident response plan
D.Communication templates
E.Vendor contacts list
AnswersB, C

The policy provides high-level commitment and direction.

Why this answer

The incident response policy is the foundational document that establishes management's commitment, defines roles and responsibilities, and sets the scope and authority for the incident response programme. Without a formal policy, the programme lacks organizational mandate and cannot enforce compliance with incident handling procedures.

Exam trap

Cisco often tests the distinction between the policy (the 'what' and 'why') and the plan (the 'how'), tempting candidates to select operational items like contact lists or templates instead of the mandatory governance components.

83
MCQhard

An organization is required to notify regulators of a material cybersecurity incident within 4 business days. Which regulation imposes this requirement?

A.California Consumer Privacy Act (CCPA)
B.SEC proposed rules
C.GDPR
D.PCI DSS
AnswerB

SEC rules mandate 4 business day notification for material incidents.

Why this answer

The SEC's proposed rules (now final) require publicly traded companies to report material cybersecurity incidents on Form 8-K within 4 business days of determining materiality. This is a specific U.S. securities regulation, not a privacy or payment card standard, and it directly mandates the 4-business-day notification window for material incidents.

Exam trap

Cisco often tests the distinction between regulatory notification timelines (e.g., GDPR's 72 hours vs. SEC's 4 business days) and the specific scope of each regulation, leading candidates to confuse privacy breach notification with material incident reporting.

How to eliminate wrong answers

Option A is wrong because the CCPA requires notification to California residents within the most expedient time possible without undue delay, but it does not specify a fixed 4-business-day window for regulatory notification. Option C is wrong because the GDPR requires notification to the supervisory authority within 72 hours (approximately 3 business days) of becoming aware of a personal data breach, not 4 business days. Option D is wrong because PCI DSS requires notification to the acquiring bank and card brands as soon as possible, but it does not impose a specific 4-business-day regulatory notification requirement.

84
MCQhard

An organization is conducting a root cause analysis after an insider threat incident. Which of the following tools is MOST appropriate for identifying the underlying management governance failure?

A.Risk assessment
B.SWOT analysis
C.5 Whys
D.Gap analysis
AnswerC

5 Whys helps trace the chain of causation to management and governance issues.

Why this answer

The 5 Whys technique is a simple but effective method to drill down from technical cause to process failure to management failure.

85
MCQmedium

An organization is subject to GDPR and experiences a data breach involving personal data. What is the maximum timeframe to notify the supervisory authority?

A.24 hours
B.48 hours
C.7 days
D.72 hours
AnswerD

GDPR mandates notification within 72 hours.

Why this answer

GDPR requires notification within 72 hours of becoming aware of the breach.

86
MCQhard

After a data breach involving personal data of EU residents, the incident manager must ensure compliance with GDPR notification requirements. Within how many hours must the organization notify the relevant supervisory authority of the breach?

A.96 hours
B.24 hours
C.48 hours
D.72 hours
AnswerD

GDPR requires notification within 72 hours of awareness.

Why this answer

GDPR Article 33 requires notification to the supervisory authority within 72 hours of becoming aware of a personal data breach.

87
MCQhard

An organization maintains evidence handling procedures for incident response. A forensic investigator needs to collect a hard drive from a compromised server. Which of the following is the MOST critical step to ensure admissibility in court?

A.Encrypting the hard drive during transport.
B.Creating a forensic image of the hard drive before disconnecting it.
C.Ensuring the investigator has the proper certification.
D.Documenting the chain of custody from the moment of collection.
AnswerD

Chain of custody proves evidence hasn't been tampered with.

Why this answer

Chain of custody documentation is essential for evidence integrity and admissibility.

88
MCQmedium

An organization is updating its incident response plan after a lessons learned meeting. Which of the following is the primary purpose of updating the plan based on lessons learned?

A.To assign blame for failures
B.To share threat intelligence with ISACs
C.To incorporate improvements to prevent recurrence and enhance response
D.To document the incident for regulatory compliance
AnswerC

Updating the IR plan with changes identified in lessons learned helps prevent similar incidents and improve response.

Why this answer

The primary purpose is to incorporate improvements to prevent recurrence and improve response effectiveness.

89
Multi-Selectmedium

Which THREE of the following are incident severity levels defined in a typical incident management program? (Select three.)

Select 3 answers
A.P5 – Low
B.P3 – Medium
C.P1 – Critical
D.P0 – Emergency
E.P2 – High
AnswersB, C, E

P3 has limited impact and standard response.

Why this answer

Common severity levels include P1 (critical), P2 (high), P3 (medium), and P4 (low). P0 is not standard; P5 is not used.

90
MCQeasy

An incident response team is conducting an exercise to test its playbook for a ransomware incident. Which of the following is the PRIMARY benefit of such an exercise?

A.Validating the incident response plan and identifying areas for improvement
B.Documenting the exercise for future reference
C.Complying with regulatory requirements
D.Testing the technical skills of the team
AnswerA

Plan validation and improvement are key objectives.

Why this answer

Exercises validate the effectiveness of the plan and identify gaps before a real incident.

91
MCQeasy

Which of the following is an example of an external stakeholder that should be included in the incident response plan's vendor contacts list?

A.Chief Information Security Officer
B.Incident response manager
C.External legal counsel
D.Board of directors
AnswerC

External legal counsel is a vendor contact often needed during incidents.

Why this answer

Third-party contacts such as legal firms, forensic investigators, PR agencies, and insurance providers are essential for incident response. Internal contacts are separate.

92
MCQmedium

When an incident cannot be resolved within the maximum tolerable downtime (MTD), what is the appropriate action regarding business continuity and disaster recovery (BC/DR)?

A.Ignore the MTD and focus solely on incident eradication
B.Continue incident response until full recovery
C.Declare a disaster immediately without further analysis
D.Escalate to the BC/DR team for possible activation of continuity plans
AnswerD

This triggers BC/DR processes to protect business operations.

Why this answer

If the MTD is at risk, the incident response team should escalate to BC/DR to activate continuity or recovery plans. This ensures business functions are restored.

93
Multi-Selecthard

Which TWO of the following are key roles on the crisis management team (CMT) for a major cybersecurity incident? (Select two.)

Select 2 answers
A.Chief Information Security Officer (CISO)
B.Security analyst
C.Chief Executive Officer (CEO)
D.Help desk manager
E.Network administrator
AnswersA, C

CISO leads the technical response and advises on security matters.

Why this answer

The CMT typically includes the CEO and CISO, among others, to make strategic decisions.

94
MCQeasy

Which of the following is the FIRST step when engaging an external forensics firm for an incident?

A.Activate the forensic retainer agreement
B.Provide evidence to the firm
C.Define the scope of work
D.Sign a non-disclosure agreement
AnswerA

A pre-signed retainer allows immediate activation.

Why this answer

Having a pre-existing retainer agreement reduces time to engage and ensures terms are already in place.

95
MCQhard

Following a credential compromise incident, the incident response team is conducting root cause analysis using the 5 Whys technique. The first 'why' reveals that the password was weak. The second 'why' reveals that the password policy allowed simple passwords. What should be the focus of the third 'why'?

A.Why the password policy allowed weak passwords
B.Why the intrusion was not detected earlier
C.Why the user had access to the compromised system
D.Why the user chose a weak password
AnswerA

This leads to the process failure that allowed the weak policy.

Why this answer

Root cause analysis should continue to identify why the password policy was not enforced or why it was inadequate, which is a process failure.

96
MCQhard

An organization has experienced a ransomware attack that has encrypted critical servers. The incident response team is unable to contain the incident within the maximum tolerable downtime (MTD). Who has the authority to declare a disaster and activate the business continuity plan?

A.The incident response manager
B.The chief executive officer (CEO) or designated crisis management team
C.The business continuity manager
D.The chief information security officer (CISO)
AnswerB

The CEO or CMT usually has authority to activate BC/DR.

Why this answer

The BC/DR plan typically specifies a designated authority, such as the CEO or a crisis management team, to declare a disaster when MTD is breached.

97
MCQeasy

Which incident category typically involves an employee intentionally or accidentally causing harm to the organization's information systems?

A.Data breach
B.DDoS
C.Ransomware
D.Insider threat
AnswerD

This category specifically covers threats from within the organization.

Why this answer

An insider threat is the correct category because it specifically involves harm caused by individuals within the organization, whether through malicious intent (e.g., data exfiltration, sabotage) or accidental actions (e.g., misconfiguration, phishing click). This aligns with the CISM definition of insider threats as incidents originating from employees, contractors, or trusted partners who have authorized access to information systems.

Exam trap

Cisco often tests the distinction between the incident category (who or what caused it) and the incident type or outcome, leading candidates to confuse 'insider threat' with 'data breach' because a data breach can be caused by an insider, but the question asks for the category that involves the employee's action.

How to eliminate wrong answers

Option A is wrong because a data breach is the outcome or result of an incident (e.g., unauthorized access or disclosure of data), not the category of the actor or cause; it does not specify whether the source is internal or external. Option B is wrong because a DDoS (Distributed Denial of Service) attack is an external, volumetric network attack that overwhelms system resources, typically launched from botnets, not from an employee's intentional or accidental actions. Option C is wrong because ransomware is a type of malware that encrypts files for extortion, usually delivered via external phishing or exploit kits, and does not inherently involve an employee's direct action causing harm to systems.

98
MCQmedium

During a P1 (critical) incident, the incident response manager is coordinating response activities. Who is primarily responsible for activating the crisis management team (CMT)?

A.The communications lead
B.The legal counsel
C.The incident response manager
D.The CEO of the organization
AnswerC

The IR manager assesses the severity and activates the CMT when the incident is critical (P1).

Why this answer

The crisis management team is typically activated by the incident response manager or a designated authority when an incident has major business impact. The CMT includes senior executives like CEO, CFO, CISO, GC, and Communications lead.

99
MCQeasy

Which of the following is the PRIMARY purpose of conducting a lessons learned meeting after an incident?

A.To assign blame for the incident.
B.To determine the financial impact of the incident.
C.To document the incident for regulatory reporting.
D.To update the incident response plan and playbooks based on findings.
AnswerD

The goal is to improve future response by updating plans and procedures.

Why this answer

Lessons learned meetings are designed to identify strengths and weaknesses in the incident response process and to implement improvements.

100
Multi-Selecthard

Which THREE of the following are essential elements of a forensic evidence handling procedure to ensure admissibility in court?

Select 3 answers
A.Placing a legal hold on relevant data
B.Maintaining a documented chain of custody
C.Performing analysis directly on original systems
D.Using automated tools without validation
E.Creating bit-for-bit forensic copies of affected media
AnswersA, B, E

A legal hold prevents destruction of evidence.

Why this answer

A legal hold is essential because it suspends the normal data retention and deletion policies, ensuring that potentially relevant evidence is preserved from alteration or destruction. This is a foundational step in the e-discovery process and directly supports the admissibility of evidence by demonstrating that the organization took proactive steps to prevent spoliation.

Exam trap

Cisco often tests the misconception that direct analysis on original systems is acceptable, but in forensic procedures, any direct manipulation of original media is prohibited to avoid altering the evidence and compromising its admissibility.

101
MCQmedium

An organization's incident response team is handling a P2 incident involving an insider threat. The team has identified the employee responsible. The communications lead is preparing a notification to affected parties. Which of the following should be included in the notification?

A.A detailed timeline of the investigation
B.An apology from the CEO
C.The type of data that was compromised and steps taken to mitigate
D.The name of the employee responsible
AnswerC

These are required elements for notification.

Why this answer

Regulatory notifications must include a description of the incident, data involved, and mitigation steps, while avoiding speculation.

102
Multi-Selectmedium

After a data breach involving customer PII, the incident response team is conducting a root cause analysis. Which THREE factors should be examined according to CISM best practices? (Select THREE.)

Select 3 answers
A.The management or governance failure that allowed the process failure.
B.The cost of the breach to the organization.
C.The specific employee who clicked the phishing email.
D.The technical vulnerability that allowed the breach.
E.The process failure that allowed the vulnerability to exist.
AnswersA, D, E

Management oversight is needed to ensure processes are effective.

Why this answer

Root cause analysis should identify technical, process, and management failures.

103
MCQmedium

During a DDoS attack classified as P2, what is the EXPECTED response time and notification level?

A.Standard response; team lead notification
B.Business hours response; management notification
C.24/7 response; executive notification
D.Scheduled remediation; email notification
AnswerB

P2 has significant impact, so management is notified and response occurs during business hours.

Why this answer

P2 incidents require management notification and a response during business hours.

104
Multi-Selecthard

An organization is preparing for a potential supply chain incident. According to CISM best practices, which THREE elements should be included in the supply chain incident playbook? (Select THREE.)

Select 3 answers
A.A step-by-step guide for paying ransoms to cybercriminals.
B.Procedures for isolating affected systems and networks.
C.A list of approved vendors for DDoS mitigation services.
D.Communication templates for notifying affected partners and customers.
E.Instructions for contacting the organization's legal counsel.
AnswersB, D, E

Containment is a key step in any incident response.

Why this answer

Supply chain incidents require specific procedures for vendor coordination, technical response, and communication.

105
MCQmedium

An organization's incident response team has identified that a data breach involves customer personal information. Which of the following should be done FIRST to preserve evidence for potential litigation?

A.Issue a legal hold to preserve relevant data
B.Notify affected customers
C.Begin system restoration from backups
D.Conduct a root cause analysis
AnswerA

A legal hold ensures that all relevant data is preserved for potential legal proceedings.

Why this answer

Legal hold prevents spoliation of evidence; it must be issued before any remediation that could alter data.

106
MCQmedium

During a DDoS attack, the incident response team is struggling to mitigate the attack. The team decides to engage the organization's ISP and a DDoS mitigation service. Which of the following should be done FIRST?

A.Activate the crisis management team
B.Refer to the incident response playbook for DDoS attacks
C.Notify law enforcement
D.Initiate legal hold on all relevant logs
AnswerB

The playbook provides predefined steps and contacts.

Why this answer

The IR plan should include pre-established contacts and procedures; contacting the ISP and mitigation service should follow the plan's escalation process.

107
Multi-Selecthard

Which TWO of the following are appropriate actions for preserving evidence during a cybersecurity incident?

Select 2 answers
A.Reboot systems to capture volatile memory
B.Create forensic bit-for-bit images of affected systems
C.Issue a legal hold to prevent deletion of relevant data
D.Disconnect affected systems from the network immediately
E.Delete temporary files to free up space
AnswersB, C

Forensic images preserve the exact state for analysis and litigation.

Why this answer

Preserving evidence includes creating forensic images and issuing legal holds to prevent spoliation. Disconnecting systems without imaging and rebooting can destroy evidence.

108
Multi-Selecthard

Which THREE of the following are objectives of a lessons learned meeting after an incident? (Select three.)

Select 3 answers
A.Determine what worked well and what did not
B.Assign blame for the incident
C.Share indicators of compromise with an ISAC
D.Develop recommendations for improvement
E.Identify what happened during the incident
AnswersA, D, E

Evaluating response effectiveness is a primary goal.

Why this answer

Lessons learned meetings aim to identify what happened, what worked well, and what didn't, and to develop recommendations for improvement. Sharing IoCs with ISACs is a separate activity, not a meeting objective.

109
MCQhard

A company discovers a credential compromise affecting multiple user accounts. According to best practices, what is the first step the incident response team should take?

A.Conduct a root cause analysis
B.Disable compromised accounts and reset passwords
C.Contact law enforcement
D.Notify affected users immediately
AnswerB

Containment is the immediate priority to stop further damage.

Why this answer

When a credential compromise is discovered, the immediate priority is containment to prevent further unauthorized access. Disabling compromised accounts and resetting passwords (Option B) stops the attacker from using the stolen credentials, aligning with the NIST SP 800-61 incident response lifecycle's containment phase. This action directly mitigates the active threat before any forensic analysis or notification occurs.

Exam trap

Cisco often tests the misconception that 'notify affected users' is the first step, but in incident management, containment (disabling accounts) always precedes notification to avoid alerting the adversary or causing operational chaos.

How to eliminate wrong answers

Option A is wrong because root cause analysis is a post-containment step; performing it first would leave compromised accounts active, allowing the attacker to continue lateral movement or data exfiltration. Option C is wrong because contacting law enforcement is a secondary step that typically occurs after containment and evidence preservation, and it does not immediately stop the active compromise. Option D is wrong because notifying affected users immediately could cause panic, tip off the attacker, or lead to data loss if users attempt to investigate on their own; notification should follow a coordinated communication plan after containment.

110
MCQmedium

An organization has experienced a ransomware attack that encrypted critical servers. The incident has been classified as P1. Which of the following is the FIRST action the incident response team should take according to the IR plan?

A.Perform root cause analysis to determine how the ransomware entered.
B.Begin forensic imaging of all affected servers for evidence preservation.
C.Notify the CEO and activate the crisis management team.
D.Contain the incident by isolating affected systems from the network.
AnswerD

Containment is the immediate priority to stop the spread of ransomware.

Why this answer

For a P1 incident, the IR plan dictates immediate containment to prevent further spread, followed by notification to the executive sponsor and activation of the crisis management team.

111
MCQeasy

Which of the following is the PRIMARY reason for having a pre-established forensic retainer agreement before an incident occurs?

A.To ensure the forensic firm is familiar with the organization's environment.
B.To reduce the time needed to bring forensic experts on board during an incident.
C.To lock in a favorable pricing structure.
D.To ensure the forensic firm has the necessary certifications.
AnswerB

A pre-signed retainer eliminates contract negotiation delays.

Why this answer

The primary reason for a pre-established forensic retainer agreement is to reduce the time needed to bring forensic experts on board during an incident. In incident management, every minute of delay can allow an attacker to exfiltrate data or destroy evidence; a retainer bypasses the procurement and contracting process, enabling immediate deployment of the forensic team to preserve volatile memory and capture network artifacts.

Exam trap

Cisco often tests the distinction between operational readiness (speed of response) and secondary benefits (cost, familiarity, certifications), and the trap here is that candidates choose a plausible but non-primary reason like 'familiarity with the environment' instead of recognizing that the retainer's core value is eliminating procurement delays during a crisis.

How to eliminate wrong answers

Option A is wrong because while familiarity with the environment can be beneficial, it is not the primary reason for a retainer; the retainer's main purpose is speed of engagement, not pre-incident knowledge transfer. Option C is wrong because locking in a favorable pricing structure is a secondary financial benefit, not the primary driver for incident response readiness. Option D is wrong because ensuring the forensic firm has necessary certifications is a due diligence step that should be verified during vendor selection, but it is not the core reason for having a retainer agreement in place before an incident.

112
MCQmedium

An organization is conducting a root cause analysis after a data breach. Which of the following sequences BEST aligns with the 5 Whys approach from a CISM perspective?

A.Management failure → Process failure → Technical cause
B.Process failure → Technical cause → Management failure
C.Technical cause → Management failure → Process failure
D.Technical cause → Process failure → Management failure
AnswerD

This sequence identifies underlying root causes at each level.

Why this answer

The 5 Whys should drill down from technical cause to process failure to management/governance failure, as per the domain content.

113
MCQhard

During a P1 incident, the crisis management team (CMT) is activated and meets within the first hour. Which communication practice is most appropriate for the CMT to follow when providing updates to the board of directors?

A.Send a brief status report every hour, avoiding speculation and including legal counsel review
B.Provide detailed technical updates every hour
C.Provide speculative root cause analysis to demonstrate competence
D.Wait until the incident is fully understood before any communication
AnswerA

This maintains timely communication while protecting confidentiality.

Why this answer

During a P1 incident, the CMT must provide timely, concise updates to the board to maintain trust and enable strategic decisions. Option A is correct because it balances frequency (hourly) with content discipline (avoiding speculation) and includes legal counsel review, which is critical for compliance and liability management. This aligns with the CISM Incident Management domain's emphasis on clear, non-technical communication to senior leadership.

Exam trap

The trap here is that candidates confuse the need for technical accuracy with the board's need for strategic clarity, leading them to choose detailed technical updates (Option B) instead of concise, legally vetted status reports.

How to eliminate wrong answers

Option B is wrong because detailed technical updates are inappropriate for the board, which requires high-level impact and status summaries, not technical minutiae like packet captures or system logs. Option C is wrong because speculative root cause analysis can mislead the board, create false confidence, and expose the organization to legal or reputational risk if the actual cause differs. Option D is wrong because waiting until full understanding delays critical communication, leaving the board uninformed and unable to make timely resource or public relations decisions.

114
MCQmedium

An organization has experienced a credential compromise incident. Which playbook should the incident response team primarily use?

A.Data breach playbook
B.Ransomware playbook
C.Credential compromise playbook
D.Insider threat playbook
AnswerC

Each incident type has a dedicated playbook; credential compromise is one.

Why this answer

Playbooks are tailored to incident types; credential compromise has its own specific playbook.

115
MCQmedium

During a DDoS attack, the incident response team determines that the attack cannot be mitigated within the maximum tolerable downtime (MTD). What should happen next?

A.Notify the board of directors
B.Continue current mitigation efforts
C.Activate business continuity and disaster recovery plans
D.Declare a disaster immediately
AnswerC

Transition to BC/DR to ensure continuity.

Why this answer

When an incident cannot be resolved within MTD, the organization should escalate to business continuity and disaster recovery activation.

116
MCQeasy

An organization's incident response plan includes a ransomware playbook. After detecting ransomware on a critical server, which of the following should be the FIRST action according to best practices?

A.Notify the CEO and legal counsel before taking any action.
B.Disconnect the server from the network and isolate it.
C.Pay the ransom immediately to regain access.
D.Immediately reboot the server to remove the ransomware.
AnswerB

Containment is the priority to limit damage.

Why this answer

Option B is correct because the immediate priority in ransomware containment is to prevent lateral movement and further encryption of systems. Disconnecting the server from the network (e.g., unplugging the Ethernet cable or disabling the virtual switch port) stops the ransomware from communicating with its command-and-control (C2) server and encrypting additional network shares. This aligns with the NIST SP 800-61 incident response containment strategy, which emphasizes isolation before any other action.

Exam trap

Cisco often tests the misconception that immediate notification of executives or legal counsel is the first step, but the CISM framework prioritizes containment actions (like isolation) before communication to prevent further damage.

How to eliminate wrong answers

Option A is wrong because notifying the CEO and legal counsel before taking action introduces unnecessary delay, allowing the ransomware to spread further and encrypt more data; notification should occur after containment. Option C is wrong because paying the ransom is not a first action—it is a last-resort business decision that may encourage further attacks and does not guarantee data recovery, and it violates FBI and CISA guidelines. Option D is wrong because rebooting the server can trigger the ransomware to complete its encryption process or delete volume shadow copies, potentially causing permanent data loss and destroying forensic evidence.

117
MCQhard

Following a data breach, an organization conducts a root cause analysis using the 5 Whys technique. The analysis identifies that a misconfigured firewall allowed unauthorized access. What is the most important next step to prevent recurrence?

A.Implement a change management process to prevent unauthorized configuration changes
B.Update the firewall rule base immediately
C.Conduct a vulnerability scan on all firewalls
D.Disconnect the firewall from the network
AnswerA

Addressing the process failure that allowed the misconfiguration prevents similar issues across the organization.

Why this answer

Root cause analysis should uncover not just technical causes but also the process and governance failures that allowed the misconfiguration. Addressing the management failure (e.g., inadequate change management) provides a systemic fix.

118
Multi-Selectmedium

Which TWO of the following are essential components of an incident response programme?

Select 2 answers
A.Incident response plan
B.Incident response policy
C.Annual penetration test
D.Vulnerability scanning schedule
E.Security awareness training
AnswersA, B

The plan provides the structured approach for responding to incidents.

Why this answer

An IR programme must include a formal policy and a documented plan. Playbooks are also important but the core components are policy and plan.

119
MCQmedium

During a major incident, the incident response team discovers that the incident cannot be resolved within the maximum tolerable downtime (MTD). Which of the following actions should be taken next?

A.Continue incident response efforts until resolution regardless of time
B.Declare the incident a disaster and shut down all systems
C.Notify the insurance provider immediately
D.Escalate to activate the business continuity and disaster recovery plans
AnswerD

Escalating to BC/DR activation is the correct action when the incident cannot be resolved within MTD.

Why this answer

When an incident cannot be resolved within the MTD, it triggers the transition to business continuity and disaster recovery (BC/DR) plans to maintain critical operations.

120
MCQhard

After a major incident, the lessons learned meeting is scheduled. According to best practices, when should this meeting typically be held after incident resolution?

A.Within one month
B.Within two weeks
C.Within 24 hours
D.Within one week
AnswerB

Two weeks is the standard timeframe for lessons learned meetings.

Why this answer

Best practices recommend holding the lessons learned meeting within two weeks of incident resolution to capture details while they are fresh.

121
MCQmedium

During a P1 (critical) security incident involving a ransomware attack that has encrypted critical servers, which role is primarily responsible for coordinating the overall response and ensuring timely communication to executive leadership?

A.Incident response manager
B.Security analyst
C.Forensic investigator
D.Communications lead
AnswerA

The IR manager leads the response and communicates with executives.

Why this answer

In a P1 ransomware incident, the incident response manager (IRM) is responsible for orchestrating the overall response, prioritizing containment over eradication, and ensuring that executive leadership receives timely, accurate status updates. Unlike technical roles, the IRM owns the incident command structure, coordinates cross-functional teams, and manages communication escalations to stakeholders, which is critical when encrypted servers demand immediate business continuity decisions.

Exam trap

Cisco often tests the distinction between tactical roles (analyst, forensic investigator) and the strategic coordination role (incident response manager), leading candidates to mistakenly choose the communications lead because they confuse 'communication to executives' with the overall coordination responsibility.

How to eliminate wrong answers

Option B (Security analyst) is wrong because a security analyst focuses on technical triage, log analysis, and initial containment actions, not on coordinating the overall response or communicating with executives. Option C (Forensic investigator) is wrong because a forensic investigator is responsible for preserving evidence and performing root-cause analysis, not for managing the incident response lifecycle or executive updates. Option D (Communications lead) is wrong because while the communications lead handles external and internal messaging, they do not own the overall response coordination; they report to the incident response manager who retains strategic authority.

122
MCQmedium

An organization has experienced a data breach involving personal data of EU residents. Under GDPR, what is the maximum time frame within which the organization must notify the relevant supervisory authority?

A.72 hours
B.48 hours
C.24 hours
D.96 hours
AnswerA

GDPR mandates notification within 72 hours of becoming aware of a personal data breach.

Why this answer

GDPR Article 33 requires notification to the supervisory authority within 72 hours of becoming aware of the breach, unless the breach is unlikely to result in a risk to rights and freedoms.

123
MCQmedium

Which of the following is the PRIMARY reason to include legal counsel in the incident response team?

A.To communicate with the media
B.To authorize technical containment actions
C.To advise on legal obligations and protect privilege
D.To manage technical aspects of the investigation
AnswerC

Legal counsel provides guidance on privilege, notification, and regulatory compliance.

Why this answer

Legal counsel ensures that actions taken during an incident preserve attorney-client privilege and comply with legal obligations, such as breach notification and litigation holds.

124
MCQeasy

Which of the following is the primary purpose of having a pre-established forensic retainer agreement?

A.To reduce the time required to engage external forensics during an incident
B.To ensure the forensics firm is certified
C.To guarantee the lowest price for forensic services
D.To comply with regulatory requirements
AnswerA

A retainer ensures immediate availability without contract delays.

Why this answer

A pre-established retainer reduces the time to engage a forensics firm during an incident, ensuring rapid response.

125
MCQmedium

During a P1 incident involving a ransomware attack, the incident response manager needs to communicate with executives. Which of the following is the most appropriate approach for executive communication?

A.Include speculative root causes to show thoroughness
B.Wait until the incident is fully resolved before communicating
C.Send hourly situation reports (sitreps) focusing on business impact and key actions
D.Provide detailed technical analysis in every update
AnswerC

Hourly sitreps are appropriate for P1 incidents, focusing on impact and response actions.

Why this answer

For critical incidents, hourly sitreps (situation reports) are recommended to keep executives informed. Avoiding speculation and preserving legal privilege with counsel involvement are also key.

126
MCQmedium

During a major cybersecurity incident, the incident response team determines that the incident cannot be resolved within the maximum tolerable downtime (MTD). Which of the following actions should be taken next?

A.Conduct a root cause analysis
B.Declare a disaster and activate the BC/DR plan
C.Notify the executive sponsor and continue response efforts
D.Increase the number of incident responders
AnswerB

Correct. If the incident cannot be resolved within MTD, the organization must escalate to BC/DR to ensure business continuity.

Why this answer

When an incident cannot be resolved within MTD, the organization should escalate to business continuity and disaster recovery activation to restore operations.

127
MCQmedium

An organization's incident response team is handling a P2 insider threat incident involving unauthorized access to customer data. According to the incident classification, which of the following is the MOST appropriate notification and response timeframe?

A.No notification required; handle during scheduled remediation.
B.Notification to the communications lead and response within 48 hours.
C.Notification to management within 24 hours and response during business hours.
D.Immediate notification to the executive sponsor and 24/7 response.
AnswerC

P2 requires management notification and business hours response.

Why this answer

P2 incidents are high severity with significant impact, requiring management notification and response during business hours.

128
Multi-Selectmedium

Which TWO of the following are key responsibilities of the crisis management team (CMT) during a major cybersecurity incident?

Select 2 answers
A.Restoring backups of affected servers
B.Approving external communications and public statements
C.Analyzing log files to identify the attack vector
D.Conducting technical forensic analysis of compromised systems
E.Making strategic decisions about business continuity activation
AnswersB, E

The CMT oversees communication strategy.

Why this answer

Option B is correct because the crisis management team (CMT) is responsible for high-level strategic decisions, including approving external communications and public statements to manage reputation and legal exposure during a major cybersecurity incident. This aligns with the CMT's role in coordinating response efforts and ensuring consistent messaging, as defined in incident management frameworks like NIST SP 800-61.

Exam trap

The trap here is confusing the strategic responsibilities of the CMT with the tactical or operational tasks of the technical incident response team, leading candidates to select hands-on actions like log analysis or backup restoration instead of high-level decision-making roles.

129
Multi-Selectmedium

Which TWO of the following are essential components of an incident response (IR) plan? (Select TWO)

Select 2 answers
A.Vendor risk assessment reports
B.Detailed network architecture diagrams
C.Communication templates
D.Playbook for ransomware incidents
E.IR team roster and contact list
AnswersC, E

Important for consistent and timely stakeholder notifications.

Why this answer

The IR plan includes the IR team roster and contact list, and communication templates. Procedures for specific incident types are typically in separate playbooks.

130
Multi-Selectmedium

Which TWO of the following are essential components of an incident response plan? (Select two.)

Select 2 answers
A.Communication templates
B.Vendor risk assessment reports
C.IR team roster and contact list
D.Network architecture diagrams
E.Annual security awareness training schedule
AnswersA, C

Templates ensure timely and consistent communication during an incident.

Why this answer

Essential components include the IR team roster and contact list, and communication templates for consistent messaging.

131
MCQhard

An incident response team is handling a P2 (high) incident. According to the incident severity classification, which of the following is the expected response timeframe?

A.Standard response with no escalation
B.Business hours response with management notification
C.Scheduled remediation
D.24/7 response with executive notification
AnswerB

P2 is high severity, requiring management notification and response during business hours.

Why this answer

A P2 (high) incident requires a response during business hours with management notification, as defined by the incident severity classification. This ensures that the incident is addressed promptly within operational hours while keeping management informed for potential escalation or resource allocation.

Exam trap

The trap here is confusing P2 (high) with P1 (critical), leading candidates to select the 24/7 response with executive notification, which is reserved for incidents causing severe business impact or data loss.

How to eliminate wrong answers

Option A is wrong because a standard response with no escalation is reserved for lower-severity incidents (e.g., P3 or P4), not for a P2 high-severity incident that demands management awareness. Option C is wrong because scheduled remediation applies to non-critical, low-priority incidents (e.g., P4) where a planned fix is acceptable, not for a high-severity incident requiring immediate attention. Option D is wrong because 24/7 response with executive notification is reserved for critical incidents (e.g., P1), where immediate round-the-clock action and top-level executive involvement are mandatory, exceeding the requirements for a P2 incident.

132
MCQhard

During a post-incident root cause analysis, the team uses the '5 Whys' technique and identifies a technical vulnerability as the cause. According to CISM best practices, what should be the NEXT level of analysis?

A.Determine the process failure that allowed the vulnerability to go unaddressed.
B.Immediately patch the vulnerability and move on.
C.Escalate the issue to the vendor for a software fix.
D.Identify the specific employee responsible for the vulnerability.
AnswerA

Understanding the process gap helps prevent recurrence.

Why this answer

The '5 Whys' should drill deeper to uncover process and management failures that allowed the technical vulnerability to exist.

133
MCQmedium

Which of the following is the BEST approach for sharing threat intelligence indicators of compromise (IoCs) after an incident?

A.Report IoCs to law enforcement only.
B.Share IoCs with industry peers via the relevant ISAC.
C.Keep IoCs confidential to protect the organization's reputation.
D.Publish IoCs on the organization's public website.
AnswerB

ISACs provide a trusted mechanism for sharing threat information.

Why this answer

Sharing IoCs with an ISAC (Information Sharing and Analysis Center) helps the broader community defend against similar attacks, which is a key post-incident activity.

134
MCQeasy

Which of the following is typically a member of the crisis management team (CMT) during a major cybersecurity incident?

A.Chief executive officer (CEO)
B.Security operations center (SOC) analyst
C.Help desk manager
D.External forensics investigator
AnswerA

The CEO is a key member of the CMT for major incidents.

Why this answer

The CMT includes senior leaders such as the CEO, CFO, CISO, General Counsel, and Communications head to handle strategic decisions and external communications.

135
Multi-Selectmedium

An organization is updating its incident response plan. Which TWO components are essential to include for effective insider threat management? (Select TWO.)

Select 2 answers
A.A dedicated ransomware recovery procedure.
B.Procedures for coordinating with human resources and legal departments.
C.A list of all employee passwords for investigation purposes.
D.A playbook specifically for insider threat scenarios.
E.Contact information for the DDoS mitigation service provider.
AnswersB, D

Insider threats often involve employee relations and legal action.

Why this answer

Insider threats require specific playbooks and involvement of HR and legal for proper handling.

136
MCQmedium

During a P1 incident, the crisis management team (CMT) has been activated. The CEO asks for an hourly sitrep. Which of the following is the MOST appropriate content for the sitrep?

A.Current status of containment, confirmed facts, and actions taken, with legal counsel input.
B.A detailed technical analysis of the attack vector and exploited vulnerabilities.
C.Names of individuals potentially responsible for the incident.
D.Estimated financial impact and potential regulatory penalties.
AnswerA

This provides clear, factual updates while protecting privilege.

Why this answer

During a P1 incident, the CEO requires a concise, actionable sitrep focused on containment status, confirmed facts, and actions taken. Legal counsel input is critical to avoid premature attribution or disclosure that could create liability or violate data breach notification laws. This aligns with the CISM incident management principle of providing decision-ready information to executive leadership without technical clutter.

Exam trap

Cisco often tests the distinction between operational incident management (executive sitrep) and technical incident response (detailed analysis), leading candidates to choose overly technical options like B instead of the legally vetted, decision-focused summary in A.

How to eliminate wrong answers

Option B is wrong because a detailed technical analysis of the attack vector and exploited vulnerabilities is too granular for an hourly executive sitrep; it belongs in a technical incident report for the IR team. Option C is wrong because naming individuals potentially responsible before investigation and legal review can lead to defamation risks, privacy violations, and interference with law enforcement or forensic processes. Option D is wrong because estimated financial impact and regulatory penalties are premature during active containment; such estimates require post-incident assessment and are not suitable for an hourly operational update.

137
MCQmedium

Which incident severity level requires executive notification and a 24/7 response?

A.P3 – Medium
B.P1 – Critical
C.P4 – Low
D.P2 – High
AnswerB

P1 requires executive notification and 24/7 response.

Why this answer

P1 (critical) incidents have major business impact and require executive notification and around-the-clock response.

138
Multi-Selectmedium

Which THREE of the following are typical roles in an incident response team? (Select THREE)

Select 3 answers
A.IR manager
B.Human resources representative
C.Forensic investigators
D.Security analysts
E.Internal audit representative
AnswersA, C, D

Coordinates the IR team and processes.

Why this answer

The IR team typically includes an IR manager, security analysts, forensic investigators, communications lead, legal counsel, and executive sponsor.

139
MCQhard

During a major cybersecurity incident, the crisis management team (CMT) has been activated. Which of the following is the PRIMARY responsibility of the CEO as a member of the CMT?

A.Authorizing external communications and resource allocation
B.Updating the incident response playbook
C.Directing the technical containment efforts
D.Conducting forensic analysis of affected systems
AnswerA

The CEO makes high-level decisions about communications and resources.

Why this answer

The CEO provides strategic direction and approves major decisions, such as activating business continuity or communicating externally, while the CISO leads the technical response.

140
MCQhard

During a major data breach investigation, legal counsel advises the incident response team to preserve attorney-client privilege over communications with external forensic investigators. Which of the following actions BEST supports this objective?

A.Have all communications with the forensic firm go through the CISO.
B.Avoid documenting any findings related to the breach until after litigation is resolved.
C.Ensure the forensic engagement letter includes a clause acknowledging attorney-client privilege.
D.Direct the forensic investigators to report to legal counsel and mark all deliverables as privileged.
AnswerD

This ensures the work is done under legal direction and protected by privilege.

Why this answer

Option D is correct because directing forensic investigators to report directly to legal counsel and marking all deliverables as privileged establishes a clear legal framework for attorney-client privilege. This ensures that communications and work product are protected from discovery in litigation, as they are created under the direction of legal counsel for the purpose of providing legal advice.

Exam trap

Cisco often tests the misconception that a contractual clause or routing through a senior executive (like the CISO) is sufficient to preserve privilege, when in fact the legal control and direction by counsel is the critical factor.

How to eliminate wrong answers

Option A is wrong because having all communications go through the CISO does not automatically create attorney-client privilege; the CISO is a technical role, not legal counsel, and such communications may be deemed business communications rather than privileged legal advice. Option B is wrong because avoiding documentation of findings violates standard incident response best practices and may lead to spoliation of evidence, which can result in legal sanctions; privilege does not require destruction of evidence. Option C is wrong because a clause in the engagement letter acknowledging privilege is insufficient; privilege is determined by the actual control and purpose of the work, not merely a contractual statement, and without legal counsel directing the work, the clause may be disregarded by a court.

141
Multi-Selectmedium

Which TWO of the following are components of an incident response programme?

Select 2 answers
A.Incident response plan
B.Vendor contracts
C.Risk assessment
D.Business impact analysis (BIA)
E.Incident response policy
AnswersA, E

The plan outlines strategy and procedures.

Why this answer

IR policy and IR plan are core components; vendor contacts are part of the plan, and BIA is not a direct IR component.

142
MCQmedium

An incident has been declared as P2 (high severity). According to the incident classification, what is the expected response timeframe and notification requirement?

A.Scheduled remediation with minimal notification.
B.Management notification and response during business hours.
C.Standard response with no specific notification.
D.Executive notification and 24/7 response.
AnswerB

P2 is high severity with significant impact.

Why this answer

P2 incidents require management notification and response during business hours.

143
MCQeasy

What is the recommended timeframe for holding a lessons learned meeting after an incident has been resolved?

A.Within 2 weeks
B.Within 1 month
C.Within 3 months
D.Within 24 hours
AnswerA

Two weeks balances freshness with time to prepare.

Why this answer

Conducting the meeting within two weeks ensures details are fresh and improvements can be implemented quickly.

144
MCQhard

During a data breach investigation, legal counsel instructs the forensics team to preserve evidence under attorney-client privilege. Which of the following actions is most critical to maintain that privilege?

A.Use a separate, isolated network for forensic analysis
B.Limit distribution of forensic reports to individuals with a need-to-know and under legal direction
C.Encrypt all forensic images with a strong algorithm
D.Destroy all preliminary notes after the final report is issued
AnswerB

Controlling access and keeping communications within the legal team helps protect privilege.

Why this answer

To preserve attorney-client privilege, communications and work product must be kept confidential and not shared with third parties unless protected by common interest or waiver.

145
MCQmedium

An organization has experienced a P2 incident. According to standard incident severity definitions, which response timeframe is typically expected?

A.Scheduled remediation at the next maintenance window
B.Response during business hours
C.Response within 72 hours
D.24/7 response until resolved
AnswerB

P2 incidents are handled during normal business hours.

Why this answer

P2 (high) incidents require a response during business hours, as they have significant but not critical impact.

146
Multi-Selectmedium

Which TWO of the following are appropriate criteria for escalating an incident to the crisis management team (CMT)? (Select TWO.)

Select 2 answers
A.The incident could cause severe reputational damage
B.The incident involves a new type of malware not seen before
C.The incident originated from a third-party supplier
D.The incident has potential for major financial loss or regulatory penalties
E.The incident requires coordination with multiple external vendors
AnswersA, D

Reputational risk at a high level requires executive involvement.

Why this answer

Potential for major financial loss or regulatory penalties and severe reputational damage are key triggers for CMT activation. Technical complexity alone is not sufficient.

147
Multi-Selectmedium

An organization is updating its incident response plan. Which TWO components should be included to ensure effective evidence handling? (Select TWO.)

Select 2 answers
A.A template for incident notifications
B.Evidence handling procedures
C.Contact information for law enforcement
D.A list of acceptable forensic tools
E.Chain of custody forms
AnswersB, E

Procedures define how evidence is collected and preserved.

Why this answer

Evidence handling procedures and chain of custody documentation are essential for preserving evidence integrity.

148
MCQeasy

In the context of incident severity classification, which of the following best describes a P3 (medium) incident?

A.Significant impact requiring management notification and business hours response
B.Minimal impact with scheduled remediation
C.Critical business impact requiring 24/7 response and executive notification
D.Limited impact with standard response and no immediate escalation
AnswerD

This is the correct definition for P3.

Why this answer

A P3 (medium) incident is defined as having limited impact on business operations, allowing for a standard response during normal business hours without requiring immediate escalation. This classification typically applies to incidents that do not affect critical systems or sensitive data, and can be resolved through normal change management processes without urgent intervention.

Exam trap

The trap here is that candidates confuse 'limited impact' with 'minimal impact' — P3 requires a standard response during business hours, while P4 allows scheduled remediation, and mixing these up leads to selecting Option B.

How to eliminate wrong answers

Option A is wrong because a P3 incident does not require management notification or a business-hours response; that description aligns with a P2 (high) incident where impact is significant but not critical. Option B is wrong because 'minimal impact with scheduled remediation' describes a P4 (low) incident, which has negligible business effect and can be deferred to a maintenance window. Option C is wrong because 'critical business impact requiring 24/7 response and executive notification' defines a P1 (critical) incident, which demands immediate escalation and round-the-clock remediation.

149
MCQmedium

An organization has a policy to share indicators of compromise (IoCs) with an Information Sharing and Analysis Center (ISAC). This activity is most closely associated with which phase of incident management?

A.Preparation
B.Post-incident activity
C.Containment, eradication, and recovery
D.Detection and analysis
AnswerB

Post-incident includes lessons learned and threat intelligence sharing with ISACs.

Why this answer

Sharing IoCs with ISACs is a post-incident activity aimed at improving collective defense and preventing future incidents.

150
Multi-Selecthard

Which THREE of the following are appropriate members of a crisis management team (CMT) for a major cybersecurity incident? (Select three.)

Select 3 answers
A.General Counsel (GC)
B.Chief Information Security Officer (CISO)
C.Security analyst
D.Chief Executive Officer (CEO)
E.Forensic investigator
AnswersA, B, D

GC handles legal and regulatory matters.

Why this answer

The General Counsel (GC) is a critical member of the CMT because a major cybersecurity incident (e.g., a data breach involving PII) triggers legal obligations under regulations like GDPR, HIPAA, or SOX. The GC provides real-time advice on legal hold, breach notification timelines, and attorney-client privilege, ensuring the organization's response does not create additional liability or waive legal protections.

Exam trap

The trap here is confusing operational roles (Security Analyst, Forensic Investigator) with strategic, decision-making CMT members, leading candidates to select technical responders who execute tasks rather than executives who govern the incident response.

← PreviousPage 2 of 2 · 150 questions total

Ready to test yourself?

Try a timed practice session using only Incident Management questions.