nerdexam
(ISC)2

CISSP-ISSAP · Question #145

You work as an Incident handling manager for a company. The public relations process of the company includes an event that responds to the e-mails queries. But since few days, it is identified that th

The correct answer is B. Eradication C. Recovery D. Contamination. Note: Option D lists "Contamination," which is not a standard incident handling phase. This is almost certainly a typo in the question - it should read Containment. The intended correct answers are Eradication (B), Recovery (C), and Containment (D), which are three consecutive ph

Security Operations Architecture

Question

You work as an Incident handling manager for a company. The public relations process of the company includes an event that responds to the e-mails queries. But since few days, it is identified that this process is providing a way to spammers to perform different types of e-mail attacks. Which of the following phases of the Incident handling process will now be involved in resolving this process and find a solution? Each correct answer represents a part of the solution. Choose all that apply.

Options

  • AIdentification
  • BEradication
  • CRecovery
  • DContamination
  • EPreparation

How the community answered

(34 responses)
  • A
    6% (2)
  • B
    79% (27)
  • E
    15% (5)

Explanation

Note: Option D lists "Contamination," which is not a standard incident handling phase. This is almost certainly a typo in the question - it should read Containment. The intended correct answers are Eradication (B), Recovery (C), and Containment (D), which are three consecutive phases of the standard 6-phase incident handling model (Preparation → Identification → Containment → Eradication → Recovery → Lessons Learned).

Why B, C, and D (Containment) are correct: Once the email-abuse vulnerability is identified, the responder must first contain it (e.g., disable or isolate the auto-reply process to stop further exploitation), then eradicate the root cause (patch or redesign the process so spammers can no longer exploit it), and finally recover by restoring the public relations email service to normal, verified operation.

Why A (Identification) is wrong: Identification already happened - the problem was detected "a few days ago." The question asks which phases are now involved in resolving it, so Identification is behind you.

Why E (Preparation) is wrong: Preparation is a proactive phase done before incidents occur (policies, tools, training). It is not an active response phase for a live incident.

Memory tip: Think of the middle three resolution phases as "Stop it → Remove it → Restore it" - Containment stops the bleeding, Eradication removes the wound's cause, and Recovery heals the patient back to health.

Topics

#Incident Response Phases#Email Security#Eradication#Recovery

Community Discussion

No community discussion yet for this question.

Full CISSP-ISSAP Practice