CISM Domain 4 - Information Security Incident Management Practice Exam Questions and Answers

CISM Domain 4 - Information Security Incident Management Practice Exam Questions and Answers 1 Which of the following should be determined FIRST when establishing a business continuity program? A. Cost to rebuild information processing facilities B. Incremental daily cost of the unavailability of systems C. Location and cost of offsite recovery facilities D. Composition and mission of individual recovery teams - Answer️️ -B is the correct answer. Justification: A. The cost to rebuild information processing facilities would not be the first thing to determine. ©PREP4EXAMS 2024/2025 REAL EXAM DUMPS Tuesday, August 6, 2024 10,57 AM 2 B. Prior to creating a detailed business continuity plan, it is important to determine the incremental daily cost of losing different systems. This will allow recovery time objectives to be determined. C. Location and cost of a recovery facility cannot be addressed until the potential losses are calculated, which will determine the type of recovery site that is needed- and this will affect cost. D. Individual recovery team requirements will occur after the requirements for business continuity are determined. 2 A company has a network of branch offices with local file/print and mail servers; each branch individually contracts a hot site. Which of the following would be the GREATEST weakness in recovery capability? A. Exclusive use of the hot site is limited to six weeks. B. The hot site may have to be shared with other customers. C. The time of declaration determines site access priority. D. The provider services all major companies in the area. - Answer️️ -D is the correct answer. Justification: ©PREP4EXAMS 2024/2025 REAL EXAM DUMPS Tuesday, August 6, 2024 10,57 AM 3 A. Access to a hot site is not indefinite; the recovery plan should address a long- term outage. B. Sharing a hot site facility is common practice and sometimes necessary in the case of a major disaster and not a significant weakness. C. First come, first served is a standard practice in hosted facilities and does not constitute a major weakness. D. In case of a disaster affecting a localized geographical area, the vendor's facility and capabilities could be insufficient for all of its clients, which will all be competing for the same resource. Preference will likely be given to the larger corporations, possibly delaying the recovery of a branch that will likely be smaller than other clients based locally. 3 Which of the following actions should be taken when an online trading company discovers a network attack in progress? A. Shut off all network access points B. Dump all event logs to removable media C. Isolate the affected network segment D. Enable trace logging on all events - Answer️️ -C is the correct answer. Justification: ©PREP4EXAMS 2024/2025 REAL EXAM DUMPS Tuesday, August 6, 2024 10,57 AM 4 A. Shutting off all network access points would create a denial of service that could result in loss of revenue. B. Dumping event logs, while useful, would not mitigate the immediate threat posed by the network attack. C. Isolating the affected network segment will mitigate the immediate threat while allowing unaffected portions of the business to continue processing. D. Enabling trace logging, while useful, would not mitigate the immediate threat posed by the network attack. 4 Which of the following choices should be assessed after the likelihood of a loss event has been determined? A. The magnitude of impact B. Risk tolerance C. The replacement cost of assets D. The book value of assets - Answer️️ -A is the correct answer. Justification: ©PREP4EXAMS 2024/2025 REAL EXAM DUMPS Tuesday, August 6, 2024 10,57 AM 5 A. Disaster recovery is driven by risk, which is a combination of likelihood and consequences. Once likelihood has been determined, the next step is to determine the magnitude of impact. B. Risk tolerance is the acceptable deviation from acceptable risk. This is taken into account once risk has been quantified, which is dependent on determining the magnitude of impact. C. Replacement cost is needed only when replacement is required. D. Book value does not represent actual asset value and cannot be used to measure magnitude of impact. 5 What is the FIRST priority when responding to a major security incident? A. Documentation B. Monitoring C. Restoration D. Containment - Answer️️ -D is the correct answer. Justification: A. Documentation is important, but it should follow containment. ©PREP4EXAMS 2024/2025 REAL EXAM DUMPS Tuesday, August 6, 2024 10,57 AM 6 B. Monitoring is important and should be ongoing but does not limit the impact of the incident. C. Restoration follows containment. D. The first priority in responding to a security incident is to contain it to limit the impact. 6 Although control effectiveness has recently been tested, a serious compromise occurred. What is the FIRST action that the information security manager should take? A. Evaluate control objectives. B. Develop more stringent controls. C. Perform a root cause analysis. D. Repeat the control test. - Answer️️ -C is the correct answer. Justification: A. Control objectives cannot be evaluated until the exact nature of the compromise is understood, and therefore, it is not clear how to best provide a solution. ©PREP4EXAMS 2024/2025 REAL EXAM DUMPS Tuesday, August 6, 2024 10,57 AM 7 B. Increasing the restrictiveness of controls should only take place if it is determined by root cause analysis to be necessary to solve the problem. C. Assessing the root cause is the first step in understanding whether control objectives and controls are inadequate or there was some other