topic Re: Clarification on Quiz question Domain 2: Incident management in CC Study Group

Clarification on Quiz question Domain 2: Incident management

Winny — Mon, 09 Sep 2024 10:04:11 GMT

I have completed Domain 2: Incident Response, BCP, DR and I was wondering about this question:

If the Incident response team is responsible for assessing the damage, then who is responsible for reducing the impact of incidents?

Thank you very much

Re: Clarification on Quiz question Domain 2: Incident management

Steve-Wilme — Mon, 09 Sep 2024 12:08:42 GMT

With a continuity incident you could only really reduce the impact through having prepared for a business interruption. So if you had east/west power from 2 different substations, 3 backup generator sets, arrangements to refuel them if necessary, dual data ingress to a facility etc. those are only things that you can do in advance, rather than as response.

Re: Clarification on Quiz question Domain 2: Incident management

JacobLin — Mon, 09 Sep 2024 13:06:31 GMT

Actually in other advanced ISC2 exam, it's often that every multi-choice question has 2 or more correct answers. You have to choose the most suitable one.

Re: Clarification on Quiz question Domain 2: Incident management

dcontesti — Mon, 09 Sep 2024 13:43:08 GMT

If you think the question/answer are incorrect, you should let Exam Administration know.

In this case, I believe the answer provided "Assessing and Scoping" is correct.

For my part, I believe this is a terrible question with two of the answers being throw aways such that the candidate has a 50/50 chance of getting it right or wrong.

For reference, if you look at NIST (great references), you will find:

NIST incident response lifecycle breaks incident response down into four main phases: Preparation; Detection and Analysis; Containment, Eradication, and Recovery; and Post-Event Activity.

Phase 1: Preparation

The Preparation phase covers the work an organization does to get ready for incident response, including establishing the right tools and resources and training the team. This phase includes work done to prevent incidents from happening.

Phase 2: Detection and Analysis

Accurately detecting and assessing incidents is often the most difficult part of incident response for many organizations, according to NIST.

Phase 3: Containment, Eradication, and Recovery

This phase focuses on keeping the incident impact as small as possible and mitigating service disruptions.

Phase 4: Post-Event Activity

Learning and improving after an incident is one of the most important parts of incident response and the most often ignored. In this phase the incident and incident response efforts are analyzed. The goals here are to limit the chances of the incident happening again and to identify ways of improving future incident response activity.

Re: Clarification on Quiz question Domain 2: Incident management

Winny — Thu, 12 Sep 2024 11:12:06 GMT

Hi there, thanks for the clarification. I understand that assess and scoping damage is the role of the incident response team; I just thought they are also involved in reducing the impact of the incident by containing it.

I guess the question is asking for the incident team's main responsibility, and assess/scoping is more of a key responsibility for them than reducing the impact? Why is that - is it because it's the most difficult part of incident response, or is it because containment is not done solely by the incident response team but also by the business?

Re: Clarification on Quiz question Domain 2: Incident management

funkychicken — Thu, 12 Sep 2024 13:00:27 GMT

Incident Management and Incident Response are roles that is included in various frameworks such as ITIL, NIST and so on. You can see more in ISO/IEC 27035. I would point out that for the CISSP exam it is important to understand these roles and objectives. In here you can see that Incident Response is responsible for assessment and decision which would lead to scoping the work.

Incident Response main responsibilities:

Planning and Preparation,
Detection and Reporting,
Assessment and Decision,
Response, and
Lessons Learned.

Incident Management encompasses roles and functions for incident management, one of which is incident response. The focus of Incident Management assess the effectiveness of the Incidence Response team and make adjustments to the incident Response plans to become more effective to the organisation, thus reducing the impact of incidents to the business, not Incident Response.