After a recovery from a successful malware attack, instances of the malware continue to be discovered. Which phase of incident response was not successful?
Correct Answer: A
Eradication is the phase of incident response where the incident team removes the threat from the affected systems and restores them to a secure state. If this phase is not successful, the malware may persist or reappear on the systems, causing further damage or compromise. Therefore, eradication is the correct answer. Reference: https://www.securitymetrics.com/blog/6-phases-incident-response-plan https://www.atlassian.com/incident-management/incident-response https://eccouncil.org/cybersecurity-exchange/incident-handling/what-is-incident-response-life-cycle/
Question 492
Which of the following is the BEST indication of an effective information security awareness training program?
Correct Answer: D
Explanation An effective information security awareness training program should aim to improve the knowledge, skills and behavior of the employees regarding information security. One of the ways to measure the effectiveness of such a program is to conduct phishing simulations, which are mock phishing attacks that test the employees' ability to identify and report phishing emails. An increase in the identification rate during phishing simulations indicates that the employees have learned how to recognize and avoid phishing attempts, which is one of the common threats to information security. Therefore, this is the best indication of an effective information security awareness training program among the given options. The other options are not as reliable or relevant as indicators of an effective information security awareness training program. An increase in the frequency of phishing tests does not necessarily mean that the employees are learning from them or that the tests are aligned with the learning objectives of the program. An increase in positive user feedback may reflect the satisfaction or engagement of the employees with the program, but it does not measure the actual learning outcomes or behavior changes. An increase in the speed of incident resolution may be influenced by other factors, such as the availability and efficiency of the incident response team, the severity and complexity of the incidents, or the tools and processes used for incident management. Moreover, the speed of incident resolution does not reflect the prevention or reduction of incidents, which is a more desirable goal of an information security awareness training program. References = CISM Review Manual, 16th Edition, ISACA, 2022, pp. 201-202, 207-208. CISM Questions, Answers & Explanations Database, ISACA, 2022, QID 1001.
Question 493
Meeting which of the following security objectives BEST ensures that information is protected against unauthorized modification?
Correct Answer: C
Question 494
When properly tested, which of the following would MOST effectively support an information security manager in handling a security breach?
Correct Answer: C
Explanation An incident response plan documents the step-by-step process to follow, as well as the related roles and responsibilities pertaining to all parties involved in responding to an information security breach. A business continuity plan or disaster recovery plan would be triggered during the execution of the incident response plan in the case of a breach impacting the business continuity. A vulnerability management plan is a procedure to address technical vulnerabilities and mitigate the risk through configuration changes (patch management).
Question 495
Risk assessment should be built into which of the following systems development phases to ensure that risks are addressed in a development project?
Correct Answer: D
Explanation Risk should be addressed as early as possible in the development cycle. The feasibility study should include risk assessment so that the cost of controls can be estimated before the project proceeds. Risk should also be considered in the specification phase where the controls are designed, but this would still be based on the assessment carried out in the feasibility study. Assessment would not be relevant in choice A or C.
