(CCIM1) Crest Certified Incident Manager- Written Exam
1. Which of the following best describes the purpose of engagement lifecycle management in incident
response?
Options: A) Planning marketing strategies, B) Structuring incident response engagements, C) Managing
financial audits, D) Overseeing software development.
Explanation: Engagement lifecycle management is focused on planning and structuring incident
response activities to ensure preparedness and effective execution during incidents.
2. In incident response, what is the primary benefit of clearly defined engagement processes?
Options: A) Enhancing product sales, B) Reducing investigation time, C) Increasing client trust and clarity,
D) Improving employee training.
Explanation: Well-defined engagement processes build client trust and clarity by outlining clear
procedures and expected actions during an incident.
3. What preparatory step is most critical before an incident occurs?
Options: A) Budget planning, B) Conducting risk assessments, C) Organizing company parties, D)
Updating the company website.
Explanation: Risk assessments help organizations prepare for potential incidents by identifying
vulnerabilities and necessary countermeasures.
4. Which action should be avoided during an incident investigation to maintain evidence integrity?
Options: A) Documenting every step, B) Making unauthorized changes to systems, C) Collecting system
logs, D) Securing affected systems.
Explanation: Unauthorized changes can corrupt evidence and compromise the investigation, so they
must be avoided.
5. Why is safe handling of malware and suspicious files essential?
Options: A) To speed up processing, B) To prevent accidental infection or further damage, C) To improve
system performance, D) To enhance software functionality.
Explanation: Proper handling of malware prevents accidental spread and additional damage to systems
during investigations.
6. Which factor is a limitation of relying solely on system logs during an incident?
Options: A) They are always comprehensive, B) They may lack critical contextual details, C) They never
contain errors, D) They automatically provide attacker attribution.
Explanation: System logs can be incomplete or miss context, making them an insufficient sole source for
comprehensive incident analysis.
,7. How do timelines assist investigators in incident response?
Options: A) By simplifying financial audits, B) By providing a visual sequence of events, C) By increasing
system speed, D) By encrypting sensitive data.
Explanation: Timelines offer a visual and chronological view of events, aiding in the analysis of incident
progression.
8. What challenge can arise when analyzing system timelines from multiple sources?
Options: A) Overabundance of identical data, B) Time zone discrepancies, C) Too few entries, D)
Excessive encryption.
Explanation: Time zone issues can create confusion when correlating events across systems in different
regions.
9. In the context of incident chronology, why is it important to interpret system timestamps correctly?
Options: A) To schedule meetings, B) To correlate events accurately, C) To adjust system brightness, D)
To monitor employee attendance.
Explanation: Accurate interpretation of timestamps is crucial for establishing the order and timing of
events during an incident.
10. What does the Computer Misuse Act 1990 primarily address?
Options: A) Financial fraud, B) Unauthorized access and computer-related crimes, C) Environmental
protection, D) Employee privacy.
Explanation: The act focuses on criminalizing unauthorized computer access and misuse.
11. Which legislation governs the protection of personal data in the European context?
Options: A) Human Rights Act 1998, B) Data Protection Act 2018 and GDPR, C) Criminal Justice Act 2008,
D) Regulation of Investigatory Powers Act 2000.
Explanation: The Data Protection Act 2018 and GDPR establish the framework for protecting personal
data in Europe.
12. Under which act might reverse engineering be scrutinized due to copyright issues?
Options: A) Human Rights Act 1998, B) Digital Millennium Copyright Act, C) Police and Justice Act 2006,
D) Protection of Children Act 1978.
Explanation: The Digital Millennium Copyright Act sets strict limits on reverse engineering to protect
intellectual property rights.
,13. What is a key element of evidential integrity in incident investigations?
Options: A) Immediate public disclosure, B) Maintaining a proper chain of custody, C) Ignoring system
logs, D) Deleting sensitive files quickly.
Explanation: A robust chain of custody ensures that evidence remains credible and untampered
throughout the investigation.
14. Why is it critical to understand sector-specific regulations (e.g., PCI, FSA) during an incident?
Options: A) To improve marketing strategies, B) To ensure compliance with industry requirements, C) To
develop new products, D) To enhance employee productivity.
Explanation: Sector-specific regulations dictate how sensitive information must be handled, impacting
incident response and legal compliance.
15. What is the primary purpose of notifying third parties during an incident?
Options: A) To increase sales, B) To comply with legal and regulatory obligations, C) To promote a
product launch, D) To schedule training sessions.
Explanation: Timely notification of third parties is often required by law or regulation to manage risks
and comply with oversight.
16. When should law enforcement be engaged during an incident response?
Options: A) After a public announcement, B) When criminal activity is suspected, C) Only during routine
maintenance, D) When updating the company website.
Explanation: Engaging law enforcement is necessary when there is suspicion of criminal activity to
ensure proper legal processes are followed.
17. Which organization typically has jurisdiction over national incident response coordination?
Options: A) Local marketing teams, B) CERTs (Computer Emergency Response Teams), C) Financial
auditors, D) Human resources.
Explanation: CERTs are specialized teams that coordinate responses to cybersecurity incidents at a
national or sectoral level.
18. What is the importance of accurate record keeping during an incident engagement?
Options: A) To support internal promotions, B) To provide evidence for investigations and compliance,
C) To boost website traffic, D) To manage payroll processes.
Explanation: Detailed records support forensic investigations, ensure compliance with laws, and help in
understanding the incident timeline.
19. Which of the following best describes interim reporting in incident response?
Options: A) A final audit report, B) An ongoing update on incident status, C) A marketing summary, D) A
, training manual.
Explanation: Interim reporting provides regular updates on the progress of an incident investigation,
keeping stakeholders informed.
20. What does maintaining an audit log on compromised hosts help establish?
Options: A) Employee attendance, B) A historical record of all actions performed, C) Software updates,
D) Customer preferences.
Explanation: Audit logs provide a detailed account of activities, which is essential for understanding the
sequence of events during an incident.
21. In threat assessment, what is the primary goal when communicating with a client?
Options: A) To confuse the client with technical jargon, B) To translate technical threats into business
impacts, C) To delay decision-making, D) To encourage data deletion.
Explanation: Translating technical threats into understandable business risks helps clients appreciate the
potential impacts and prioritize responses.
22. What is a high-level methodology in threat assessment?
Options: A) Ignoring historical data, B) Conducting a comprehensive risk analysis, C) Focusing solely on
hardware, D) Delegating analysis to marketing.
Explanation: A comprehensive risk analysis that reviews historical trends and current vulnerabilities is
fundamental to threat assessment.
23. What factor is essential when attributing an attack to a specific actor?
Options: A) The attacker’s favorite color, B) Consistent evidence and attack patterns, C) The company’s
revenue figures, D) Employee satisfaction scores.
Explanation: Consistent evidence and established attack patterns are key in determining the likely
source or actor behind an attack.
24. How does the understanding of attacker motivations benefit an incident manager?
Options: A) By predicting stock market trends, B) By tailoring response strategies, C) By scheduling
employee shifts, D) By developing social media content.
Explanation: Knowing attacker motivations helps in anticipating future actions and tailoring
countermeasures appropriately.
25. Which step is crucial when preparing an incident response engagement?
Options: A) Scheduling vacations, B) Identifying potential vulnerabilities, C) Organizing a team lunch, D)
Redesigning the corporate logo.
1. Which of the following best describes the purpose of engagement lifecycle management in incident
response?
Options: A) Planning marketing strategies, B) Structuring incident response engagements, C) Managing
financial audits, D) Overseeing software development.
Explanation: Engagement lifecycle management is focused on planning and structuring incident
response activities to ensure preparedness and effective execution during incidents.
2. In incident response, what is the primary benefit of clearly defined engagement processes?
Options: A) Enhancing product sales, B) Reducing investigation time, C) Increasing client trust and clarity,
D) Improving employee training.
Explanation: Well-defined engagement processes build client trust and clarity by outlining clear
procedures and expected actions during an incident.
3. What preparatory step is most critical before an incident occurs?
Options: A) Budget planning, B) Conducting risk assessments, C) Organizing company parties, D)
Updating the company website.
Explanation: Risk assessments help organizations prepare for potential incidents by identifying
vulnerabilities and necessary countermeasures.
4. Which action should be avoided during an incident investigation to maintain evidence integrity?
Options: A) Documenting every step, B) Making unauthorized changes to systems, C) Collecting system
logs, D) Securing affected systems.
Explanation: Unauthorized changes can corrupt evidence and compromise the investigation, so they
must be avoided.
5. Why is safe handling of malware and suspicious files essential?
Options: A) To speed up processing, B) To prevent accidental infection or further damage, C) To improve
system performance, D) To enhance software functionality.
Explanation: Proper handling of malware prevents accidental spread and additional damage to systems
during investigations.
6. Which factor is a limitation of relying solely on system logs during an incident?
Options: A) They are always comprehensive, B) They may lack critical contextual details, C) They never
contain errors, D) They automatically provide attacker attribution.
Explanation: System logs can be incomplete or miss context, making them an insufficient sole source for
comprehensive incident analysis.
,7. How do timelines assist investigators in incident response?
Options: A) By simplifying financial audits, B) By providing a visual sequence of events, C) By increasing
system speed, D) By encrypting sensitive data.
Explanation: Timelines offer a visual and chronological view of events, aiding in the analysis of incident
progression.
8. What challenge can arise when analyzing system timelines from multiple sources?
Options: A) Overabundance of identical data, B) Time zone discrepancies, C) Too few entries, D)
Excessive encryption.
Explanation: Time zone issues can create confusion when correlating events across systems in different
regions.
9. In the context of incident chronology, why is it important to interpret system timestamps correctly?
Options: A) To schedule meetings, B) To correlate events accurately, C) To adjust system brightness, D)
To monitor employee attendance.
Explanation: Accurate interpretation of timestamps is crucial for establishing the order and timing of
events during an incident.
10. What does the Computer Misuse Act 1990 primarily address?
Options: A) Financial fraud, B) Unauthorized access and computer-related crimes, C) Environmental
protection, D) Employee privacy.
Explanation: The act focuses on criminalizing unauthorized computer access and misuse.
11. Which legislation governs the protection of personal data in the European context?
Options: A) Human Rights Act 1998, B) Data Protection Act 2018 and GDPR, C) Criminal Justice Act 2008,
D) Regulation of Investigatory Powers Act 2000.
Explanation: The Data Protection Act 2018 and GDPR establish the framework for protecting personal
data in Europe.
12. Under which act might reverse engineering be scrutinized due to copyright issues?
Options: A) Human Rights Act 1998, B) Digital Millennium Copyright Act, C) Police and Justice Act 2006,
D) Protection of Children Act 1978.
Explanation: The Digital Millennium Copyright Act sets strict limits on reverse engineering to protect
intellectual property rights.
,13. What is a key element of evidential integrity in incident investigations?
Options: A) Immediate public disclosure, B) Maintaining a proper chain of custody, C) Ignoring system
logs, D) Deleting sensitive files quickly.
Explanation: A robust chain of custody ensures that evidence remains credible and untampered
throughout the investigation.
14. Why is it critical to understand sector-specific regulations (e.g., PCI, FSA) during an incident?
Options: A) To improve marketing strategies, B) To ensure compliance with industry requirements, C) To
develop new products, D) To enhance employee productivity.
Explanation: Sector-specific regulations dictate how sensitive information must be handled, impacting
incident response and legal compliance.
15. What is the primary purpose of notifying third parties during an incident?
Options: A) To increase sales, B) To comply with legal and regulatory obligations, C) To promote a
product launch, D) To schedule training sessions.
Explanation: Timely notification of third parties is often required by law or regulation to manage risks
and comply with oversight.
16. When should law enforcement be engaged during an incident response?
Options: A) After a public announcement, B) When criminal activity is suspected, C) Only during routine
maintenance, D) When updating the company website.
Explanation: Engaging law enforcement is necessary when there is suspicion of criminal activity to
ensure proper legal processes are followed.
17. Which organization typically has jurisdiction over national incident response coordination?
Options: A) Local marketing teams, B) CERTs (Computer Emergency Response Teams), C) Financial
auditors, D) Human resources.
Explanation: CERTs are specialized teams that coordinate responses to cybersecurity incidents at a
national or sectoral level.
18. What is the importance of accurate record keeping during an incident engagement?
Options: A) To support internal promotions, B) To provide evidence for investigations and compliance,
C) To boost website traffic, D) To manage payroll processes.
Explanation: Detailed records support forensic investigations, ensure compliance with laws, and help in
understanding the incident timeline.
19. Which of the following best describes interim reporting in incident response?
Options: A) A final audit report, B) An ongoing update on incident status, C) A marketing summary, D) A
, training manual.
Explanation: Interim reporting provides regular updates on the progress of an incident investigation,
keeping stakeholders informed.
20. What does maintaining an audit log on compromised hosts help establish?
Options: A) Employee attendance, B) A historical record of all actions performed, C) Software updates,
D) Customer preferences.
Explanation: Audit logs provide a detailed account of activities, which is essential for understanding the
sequence of events during an incident.
21. In threat assessment, what is the primary goal when communicating with a client?
Options: A) To confuse the client with technical jargon, B) To translate technical threats into business
impacts, C) To delay decision-making, D) To encourage data deletion.
Explanation: Translating technical threats into understandable business risks helps clients appreciate the
potential impacts and prioritize responses.
22. What is a high-level methodology in threat assessment?
Options: A) Ignoring historical data, B) Conducting a comprehensive risk analysis, C) Focusing solely on
hardware, D) Delegating analysis to marketing.
Explanation: A comprehensive risk analysis that reviews historical trends and current vulnerabilities is
fundamental to threat assessment.
23. What factor is essential when attributing an attack to a specific actor?
Options: A) The attacker’s favorite color, B) Consistent evidence and attack patterns, C) The company’s
revenue figures, D) Employee satisfaction scores.
Explanation: Consistent evidence and established attack patterns are key in determining the likely
source or actor behind an attack.
24. How does the understanding of attacker motivations benefit an incident manager?
Options: A) By predicting stock market trends, B) By tailoring response strategies, C) By scheduling
employee shifts, D) By developing social media content.
Explanation: Knowing attacker motivations helps in anticipating future actions and tailoring
countermeasures appropriately.
25. Which step is crucial when preparing an incident response engagement?
Options: A) Scheduling vacations, B) Identifying potential vulnerabilities, C) Organizing a team lunch, D)
Redesigning the corporate logo.
