CISM · Question #105
CISM Question #105: Real Exam Question with Answer & Explanation
The correct answer is A: Test and verify that compromised systems are clean.. During the recovery phase of incident response, it is crucial to test and verify affected systems are clean before bringing them back online to prevent re-infection.
Question
Which of the following is MOST important to complete during the recovery phase of an incident response process before bringing affected systems back online?
Options
- ATest and verify that compromised systems are clean.
- BDocument recovery steps for senior management reporting.
- CRecord and close security incident tickets.
- DCapture and preserve forensic images of affected systems.
Explanation
During the recovery phase of incident response, it is crucial to test and verify affected systems are clean before bringing them back online to prevent re-infection.
Common mistakes.
- B. Documenting recovery steps is important for reporting and process improvement, but it does not directly secure the systems before they are brought back online.
- C. Recording and closing security incident tickets is an administrative step indicating completion, not a technical action to secure systems.
- D. Capturing forensic images is part of the containment and eradication phases for evidence preservation, typically done before or during eradication, not primarily during the recovery phase to bring systems back online.
Concept tested. Incident recovery verification
Reference. https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-61r2.pdf
Topics
Community Discussion
No community discussion yet for this question.