ISC2 SSCP: Incident Response
and Recovery test questions
and answers 2025
Incident Response Plane Elements
- state of purpose
- strategies and goals for incident response
- approach to incident response
- communication with other groups
- senior leadership approval
CONSULT: NIST SP 800-61
Incident Communication Plan
- Ensures all participants have timely, accurate info
- Limit external communications to trusted parties
- Comply with legislative or regulatory notification requirements
Secure Communication
prevents inadvertent information leaks
Monitoring is crucial to ___________
incident identification
Incident Data Sources
ids/ips
firewalls
authentication systems
integrity monitors
vulnerability scanners
system event logs
netflow records
antimalware packages
SIEM (Security Incident and Event Management)
Security solution that collects information from diverse sources, analyzes
it for signs of security incidents, and retains it for later use.
First responders should _________
isolate affected systems
, EXAM TIP: The highest priority of a first responder must be containing
damage through isolation
Escalation and Notification Objectives
Evaluate incident severity based upon impact
Escalate response to an appropriate level
notify management and other stakeholders
Triaging Incidents
Low Impact - minimal potential to affect security, handled by first
responders, don;t require after hour response
Moderate Impact - significant potential to affect security, trigger incident
response team activation, require prompt notification to management
High Impact - may casue critical damage to informatio systems, justify an
immediate full response, requires immediate notification to senior
management, demand full mobilization of incident response team
Containment Strategy Evaluation
1. Damage potential
2. Evidence preservation
3. Service availbaility
4. Resource requirements
5. expected effectiveness
6. Solution time frame
A containment measure should balance ________ needs and _________
objectives
business, security
Mitigation ends with ___________
stablility
Containment
Limits the damage
Three activites to contain damage of a security incident
1. Segmentation - divide networks into logical segments, grouped by
types of users or systems
2. Isolation - compromised system is moved to a network that is
completely disconnected from the rest of the network.
3. Removal - completely disconnects impacted systems from any network.
Eradicaiton
and Recovery test questions
and answers 2025
Incident Response Plane Elements
- state of purpose
- strategies and goals for incident response
- approach to incident response
- communication with other groups
- senior leadership approval
CONSULT: NIST SP 800-61
Incident Communication Plan
- Ensures all participants have timely, accurate info
- Limit external communications to trusted parties
- Comply with legislative or regulatory notification requirements
Secure Communication
prevents inadvertent information leaks
Monitoring is crucial to ___________
incident identification
Incident Data Sources
ids/ips
firewalls
authentication systems
integrity monitors
vulnerability scanners
system event logs
netflow records
antimalware packages
SIEM (Security Incident and Event Management)
Security solution that collects information from diverse sources, analyzes
it for signs of security incidents, and retains it for later use.
First responders should _________
isolate affected systems
, EXAM TIP: The highest priority of a first responder must be containing
damage through isolation
Escalation and Notification Objectives
Evaluate incident severity based upon impact
Escalate response to an appropriate level
notify management and other stakeholders
Triaging Incidents
Low Impact - minimal potential to affect security, handled by first
responders, don;t require after hour response
Moderate Impact - significant potential to affect security, trigger incident
response team activation, require prompt notification to management
High Impact - may casue critical damage to informatio systems, justify an
immediate full response, requires immediate notification to senior
management, demand full mobilization of incident response team
Containment Strategy Evaluation
1. Damage potential
2. Evidence preservation
3. Service availbaility
4. Resource requirements
5. expected effectiveness
6. Solution time frame
A containment measure should balance ________ needs and _________
objectives
business, security
Mitigation ends with ___________
stablility
Containment
Limits the damage
Three activites to contain damage of a security incident
1. Segmentation - divide networks into logical segments, grouped by
types of users or systems
2. Isolation - compromised system is moved to a network that is
completely disconnected from the rest of the network.
3. Removal - completely disconnects impacted systems from any network.
Eradicaiton
