Incident Response And Breach Notification Procedures
Help Questions
CPA Information Systems and Controls (ISC) › Incident Response And Breach Notification Procedures
Which of the following correctly identifies the phases of a typical incident response lifecycle?
Preparation, Detection and Analysis, Containment, Eradication, Recovery, and Post-Incident Activity
Assess, Remediate, Test, Deploy
Identify, Protect, Detect, Respond, Recover
Plan, Build, Run, Monitor
Explanation
The NIST SP 800-61 incident response lifecycle has six phases: Preparation, Detection and Analysis, Containment, Eradication and Recovery, and Post-Incident Activity. Answer C is correct. Answer A is COBIT management phases. Answer B is the NIST Cybersecurity Framework functions. Answer D is a generic process model.
During a ransomware incident, the IT team's first priority should be to:
Notify all customers that their data may have been compromised.
Immediately pay the ransom to restore access to critical systems as quickly as possible.
Conduct a full root cause analysis to determine how the ransomware entered the network.
Contain the attack by isolating infected systems from the network to prevent further spread before beginning investigation or recovery.
Explanation
Containment - isolating affected systems - is the first priority to stop ransomware from spreading to additional systems. Investigation, notification, and recovery follow containment. Answer A is correct. Paying ransom (B) is a last resort. Root cause analysis (C) occurs after containment. Customer notification (D) follows assessment of data exposure.
The primary purpose of the 'eradication' phase of incident response is to:
Document lessons learned and improve defenses based on the incident.
Restore affected systems from clean backups to resume normal operations.
Notify stakeholders and regulatory authorities about the incident.
Remove the root cause of the incident - including malware, compromised accounts, and attacker persistence mechanisms - from the affected environment.
Explanation
Eradication focuses on completely removing the attacker's presence and tools from the environment - not just stopping the immediate attack but eliminating all footholds. Answer B is correct. System restoration (A) is the recovery phase. Stakeholder notification (C) occurs during and after containment. Lessons learned (D) are post-incident activities.
An organization's incident response plan designates a Computer Security Incident Response Team (CSIRT). The CSIRT should include representatives from which functions?
IT security, IT operations, legal, communications/PR, HR, and relevant business units - reflecting the cross-functional nature of incident response.
Only senior management and legal counsel.
External law enforcement and regulatory agencies only.
Only IT security staff who have technical knowledge of the systems involved.
Explanation
Effective incident response requires cross-functional coordination: IT handles technical response, legal manages liability and regulatory obligations, communications manages external messaging, HR addresses employee-related matters, and business units understand business impact. Answer C is correct. Technical staff alone (A) cannot manage legal, PR, or business implications. Management and legal alone (B) cannot execute technical response. External agencies (D) may be involved but do not constitute the internal CSIRT.
Which of the following best describes the purpose of a 'tabletop exercise' in incident response preparedness?
A live technical exercise that activates the disaster recovery site to test full system failover.
A discussion-based exercise where team members walk through a simulated incident scenario to test their understanding of roles, procedures, and decision-making without activating actual systems.
A physical security drill simulating unauthorized access to the data center.
An annual review of the incident response policy document by IT management.
Explanation
Tabletop exercises test incident response knowledge and coordination through discussion of simulated scenarios - identifying gaps in procedures, communication, and decision-making without the risk and cost of live exercises. Answer A is correct. Full system failover (B) is a full-scale exercise. Physical security drills (C) test physical controls. Policy reviews (D) assess documentation.
Which of the following is the most important document to maintain during an incident for both operational and legal purposes?
A copy of the organization's cyber insurance policy.
A complete backup of all affected systems made at the start of the incident.
A list of all employees who were notified about the incident.
A detailed incident log recording all actions taken, decisions made, timestamps, personnel involved, and evidence collected throughout the response.
Explanation
A detailed incident log provides the authoritative record of what happened, when, by whom, and why - essential for regulatory reporting, legal proceedings, lessons learned, and demonstrating due diligence. Answer A is correct. Backups (B) are important for recovery. Employee notification lists (C) are one element of documentation. Insurance policies (D) are business documents, not incident records.
An organization detects a breach and finds evidence that attackers had access for 45 days before detection. This period between initial compromise and detection is called:
The recovery time objective (RTO).
The mean time to respond (MTTR).
Dwell time - the period an attacker remains undetected within a compromised environment.
The breach notification window.
Explanation
Dwell time measures how long an attacker operates undetected within a network - a key indicator of detection capability maturity. Shorter dwell time means faster detection and less damage. Answer C is correct. RTO (A) measures recovery speed. MTTR (B) measures response time after detection. The notification window (D) is a regulatory compliance concept.
When a breach notification is sent to affected individuals, which of the following information should typically be included?
The names of all employees involved in the incident response.
A description of what happened, the types of information involved, what the organization is doing in response, steps individuals can take to protect themselves, and contact information for further assistance.
A complete list of all data the organization holds about the individual.
The full technical details of the attack methodology and vulnerabilities exploited.
Explanation
Breach notifications should be clear and actionable - explaining the incident, what data was affected, organizational response actions, protective steps individuals can take, and how to get help. Answer A is correct. Technical attack details (B) are not helpful to individuals and may aid further attacks. Employee names (C) are confidential. Full data inventories (D) are not required and may raise additional privacy concerns.
An organization's incident response plan includes a 'containment strategy decision tree.' The primary purpose of this decision tool is to:
Calculate the financial cost of the incident for insurance purposes.
Identify the root cause of the incident before any action is taken.
Determine which regulatory authority must be notified first.
Guide responders in selecting the appropriate containment approach based on the type and severity of the incident, balancing speed of containment against operational impact.
Explanation
A containment decision tree helps responders quickly determine the right containment strategy for different incident types - balancing the urgency to stop spread against the need to maintain critical operations. Answer D is correct. Regulatory routing (A), cost calculation (B), and root cause identification (C) are separate activities in the IR lifecycle.
A company discovers that an employee's laptop containing unencrypted customer data was stolen. Which of the following is the organization's most immediate legal obligation?
Immediately replace the stolen laptop with a new device.
File a police report about the laptop theft and take no further action pending the investigation.
Assess the scope of the data breach and determine applicable breach notification obligations based on the type of data, jurisdiction, and number of affected individuals.
Wait 30 days to determine whether the data has been misused before making any notifications.
Explanation
A stolen laptop with unencrypted customer data is likely a reportable breach - the organization must immediately assess what data was on the device and determine applicable notification requirements under state, federal, and international laws. Answer B is correct. Laptop replacement (A) is an operational matter. A police report (C) alone is insufficient. Waiting 30 days (D) would likely violate notification deadlines.