CISM · Question #50
CISM Question #50: Real Exam Question with Answer & Explanation
The correct answer is C: Conduct a meeting to capture lessons learned.. After successful recovery from a cyberattack, the next crucial step is to conduct a meeting to capture lessons learned, enabling continuous improvement of incident response capabilities.
Question
An incident management team leader sends out a notification that the organization has successfully recovered from a cyberattack. Which of the following should be done NEXT?
Options
- ASecure and preserve digital evidence for analysis.
- BGather feedback on business impact.
- CConduct a meeting to capture lessons learned.
- DPrepare an executive summary for senior management.
Explanation
After successful recovery from a cyberattack, the next crucial step is to conduct a meeting to capture lessons learned, enabling continuous improvement of incident response capabilities.
Common mistakes.
- A. Securing and preserving digital evidence for analysis is typically performed during the containment and eradication phases of an incident, not after the notification of full recovery.
- B. Gathering feedback on business impact is an important part of the incident review, but the formal mechanism for consolidating this and other insights for improvement is the lessons learned meeting.
- D. Preparing an executive summary for senior management is an output of the incident response process, which should incorporate insights from the lessons learned, meaning the meeting should precede the summary's finalization.
Concept tested. Incident response post-mortem analysis
Reference. https://learn.microsoft.com/en-us/azure/security/fundamentals/incident-response-overview
Topics
Community Discussion
No community discussion yet for this question.