Evaluate Incident And Problem Management
Help Questions
CPA Information Systems and Controls (ISC) › Evaluate Incident And Problem Management
A 'known error' in ITSM problem management refers to:
An error in the incident ticketing system that causes tickets to be misrouted.
A problem that has been diagnosed with an identified root cause and a known workaround, but for which a permanent fix has not yet been implemented.
An error in the organization's financial statements identified by the external auditors.
A documented security vulnerability that has been publicly disclosed.
Explanation
A known error is a formally documented problem state where the root cause and a workaround are identified - it is tracked until a permanent fix (change) is implemented. Answer D is correct. Security vulnerabilities (A), ticketing errors (B), and financial statement errors (C) are not the ITSM definition.
An organization's problem management process requires a root cause analysis (RCA) for all P1 (critical) incidents. After a major database outage, no RCA is conducted because 'the team was too busy with other work.' The most significant risk of this gap is:
The underlying cause of the outage remains unaddressed, increasing the likelihood of recurrence and future disruptions to critical systems and financial operations.
Staff involved in the incident may not receive performance reviews on time.
The organization may fail its next ISO 27001 certification audit.
The incident ticket will remain in 'open' status indefinitely in the ticketing system.
Explanation
Without RCA, the root cause of a critical outage is unknown and unresolved - the same failure mechanism can cause another outage. Answer C is correct. Certification impacts (A) are secondary. Performance reviews (B) are unrelated. Open tickets (D) are an administrative issue.
Which of the following best describes a 'workaround' in ITSM incident and problem management?
A manual process that replaces automated system functionality indefinitely.
A permanent fix that eliminates the underlying cause of repeated incidents.
A temporary solution that reduces the impact of an incident or problem until a permanent fix can be implemented.
A temporary patch applied by the IT team to a software vulnerability.
Explanation
A workaround is a temporary measure - it mitigates impact but does not fix the underlying cause. It buys time until a proper solution is developed and implemented. Answer D is correct. A permanent fix (A) eliminates the need for a workaround. A security patch (B) may be a fix, not a workaround. Manual processes (C) may be workarounds but the definition is broader.
An IT team resolves incidents by restarting servers whenever applications crash, without investigating why the crashes occur. Over six months, the same servers are restarted 47 times. This approach reflects:
A technical limitation of the servers that cannot be resolved.
Effective incident management since service is restored quickly each time.
Effective incident management but failed problem management - the root cause of the crashes has not been investigated or resolved.
An appropriate use of the change management process to address recurring issues.
Explanation
Quick restarts demonstrate responsive incident management. However, 47 restarts without root cause investigation is a clear problem management failure - the recurring crashes indicate an unresolved underlying issue. Answer B is correct. Quick restoration alone is not sufficient (A). The frequency suggests a resolvable problem (C). Restarts are not change management (D).
During an audit, an IT auditor reviews the incident log and finds that several high-severity incidents affecting the financial reporting system were not logged in the incident management system. The primary risk of unlogged incidents is:
Employees who experienced the incidents may file complaints about poor service.
The IT team will exceed its incident handling capacity.
The organization will fail its SOC 2 audit automatically.
The organization loses visibility into system reliability patterns, management cannot make informed decisions, and root cause analysis cannot be performed on untracked issues.
Explanation
Unlogged incidents create blind spots - management cannot see patterns, cannot perform trend analysis, and cannot trigger problem management for recurring issues. Answer A is correct. Capacity (B), automatic SOC failures (C), and employee complaints (D) are not the primary risks.
An organization's problem management process uses trend analysis of incident data. The primary purpose of this analysis is to:
Determine whether the IT team is meeting its staffing targets.
Identify recurring patterns or categories of incidents that may indicate underlying systemic problems requiring root cause investigation.
Calculate the total cost of IT outages for financial reporting purposes.
Provide data for the annual IT performance review.
Explanation
Trend analysis of incident data reveals patterns - the same system failing repeatedly, the same type of error occurring frequently - that signal underlying problems requiring problem management attention. Answer B is correct. Staffing (A), cost calculation (C), and performance reviews (D) are secondary uses.
After a major security incident, an organization conducts a post-incident review. The primary purpose of this review is to:
Document the incident for inclusion in the annual IT report to the board.
Satisfy the insurance company's requirements for incident reporting.
Understand what happened, why it happened, what was done well, what could be improved, and what actions will prevent recurrence.
Determine which employees are responsible for the incident for disciplinary action.
Explanation
A post-incident review (also called a post-mortem or lessons learned) is focused on understanding and improvement - not blame - covering the full incident timeline, response effectiveness, and preventive actions. Answer D is correct. Blame assignment (A) is counterproductive. Insurance reporting (B) is a compliance activity. Board reporting (C) may follow but is not the review's primary purpose.
Which of the following represents an effective integration between incident management and change management processes?
Change management should approve all incident resolutions before service is restored.
When problem management identifies a root cause requiring a fix, the fix is implemented through the formal change management process to ensure it is authorized, tested, and documented.
Incident management and change management should operate independently to avoid delays.
Only problem managers are authorized to initiate change requests.
Explanation
The formal link between problem management and change management ensures that fixes identified through root cause analysis are implemented in a controlled, authorized manner - preventing rushed fixes that could cause new problems. Answer A is correct. Pre-approval of all incident restorations (B) would cause unacceptable delays. Independence (C) creates gaps. Change initiation is not limited to problem managers (D).
Which of the following is the most important information to capture in an incident record to support effective problem management?
The number of users affected by the incident.
Symptoms, affected systems, timeline of events, steps taken to resolve, resolution method, and root cause if identified.
The cost of IT staff time spent on the incident.
The name of the end user who first reported the incident.
Explanation
Comprehensive incident records with symptoms, timelines, and resolution details provide the foundation for problem management root cause analysis - enabling pattern recognition and systematic investigation. Answer B is correct. Reporter name (A), cost (C), and user count (D) are supplementary data that do not support root cause investigation.
Which of the following is a key control that helps ensure incidents are escalated appropriately when they cannot be resolved within defined timeframes?
Posting the IT team's organizational chart in the server room.
Documented escalation paths and timeframes that automatically trigger notification of senior staff and management when incidents breach defined resolution windows.
Conducting monthly incident management training for IT staff.
Requiring all IT staff to carry mobile phones so they can be reached at any time.
Explanation
Documented escalation paths with defined triggers ensure that unresolved incidents automatically escalate to higher levels of authority, ensuring resources and management attention are applied before incidents cause unacceptable disruption. Answer A is correct. Mobile phones (B), org charts (C), and training (D) are supporting elements but not the escalation control itself.