CISM Question #71: Real Exam Question with Answer & Explanation

The correct answer is C: Restore the system from a known good backup.. When responding to malware on an application server, the most appropriate eradication method is to restore the system from a known good backup.

Submitted by hans_de· Apr 18, 2026Information Security Incident Management

Question

Which of the following eradication methods is MOST appropriate when responding to an incident resulting in malware on an application server?

Options

ADisconnect the system from the network.
BChange passwords on the compromised system.
CRestore the system from a known good backup.
DPerform operation system hardening.

Explanation

When responding to malware on an application server, the most appropriate eradication method is to restore the system from a known good backup.

Common mistakes.

A. Disconnecting the system from the network is a containment action, not an eradication method; it stops the malware's spread but does not remove it from the system.
B. Changing passwords on a compromised system is part of post-eradication steps (recovery), and it might not be effective if the system is still infected or if the malware has captured new credentials.
D. Performing operating system hardening is a preventative measure to reduce attack surfaces, not an eradication method for an already infected system.

Concept tested. Incident response - Eradication

Reference. https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-61r2.pdf

Topics

#Incident Response#Malware Eradication#System Restoration#Recovery

Community Discussion

No community discussion yet for this question.

Full CISM Practice Browse All CISM Questions