CISM Question #711: Real Exam Question with Answer & Explanation

Question

An incident response team recently encountered an unfamiliar type of cyber event. Though the team was able to resolve the issue, it took a significant amount of time to identify. What is the BEST way to help ensure similar incidents are identified more quickly in the future?

Options

• APerform a threat analysis.
• BPerform a post-incident review.
• CImplement a SIEM solution.
• DEstablish performance metrics for the team.

Explanation

Performing a post-incident review (also called a lessons-learned or after-action review) directly addresses the problem: the team encountered something unfamiliar and struggled to identify it, so reviewing what happened captures that knowledge, documents the indicators, and updates playbooks so the team recognizes it faster next time. Threat analysis (A) is proactive intelligence-gathering about potential future threats, not a mechanism for learning from a specific past incident. Implementing a SIEM (C) improves log aggregation and alerting but doesn't inherently teach the team how to recognize this specific new event type - and it takes time to deploy and tune. Establishing performance metrics (D) measures how well the team performs but doesn't give them the knowledge or procedures needed to identify novel incidents more quickly.

Memory tip: Think of the post-incident review as the team's "debrief" - just like military or sports teams review footage after a game to improve, incident teams review events to build institutional knowledge. When a question mentions an unfamiliar incident that was eventually resolved, the answer almost always involves capturing and applying those lessons.

No community discussion yet for this question.