Domain 4 Capstone Review: Incident Management

This capstone tests:

• Preparedness before incidents
• Structured execution during incidents
• Governance alignment after incidents

Think impact. Think proportionality. Think defensibility.

Question 1

An organization restores systems in arbitrary order during an outage.

What is the MOST likely root cause?

1. Encryption weakness
2. Vendor inefficiency
3. Lack of BIA-driven recovery prioritization
4. Reduced automation

Question 2

An IRP exists but does not define severity-based escalation thresholds.

What is the PRIMARY risk?

1. Inconsistent escalation and executive visibility
2. Reduced automation
3. Encryption gap
4. Vendor inefficiency

Question 3

RPO is 2 hours, but backups occur once daily.

What is the PRIMARY issue?

1. Reduced automation
2. Vendor oversight
3. Encryption deficiency
4. Misalignment between backup frequency and recovery objective

Question 4

During investigation, logs are overwritten before analysis.

What is the MOST significant risk?

1. Encryption gap
2. Loss of forensic evidence and legal defensibility
3. Vendor inefficiency
4. Reduced automation

Question 5

A ransomware attack is contained but credentials are not reset.

What is the PRIMARY concern?

1. Reduced automation
2. Encryption weakness
3. Continued unauthorized access risk
4. Vendor inefficiency

Question 6

Executives are not included in tabletop exercises.

What is the MOST significant governance risk?

1. Leadership unpreparedness during crisis
2. Encryption gap
3. Vendor inefficiency
4. Monitoring delay

Question 7

A breach is classified as medium severity to avoid board reporting.

What principle is violated?

1. Automation discipline
2. Monitoring frequency
3. Vendor governance
4. Objective severity classification

Question 8

Containment shuts down all systems, including critical revenue platforms, without assessment.

What was ignored?

1. Encryption deficiency
2. Proportional response aligned with business impact
3. Vendor oversight
4. Reduced automation

Question 9

Regulatory notification is delayed pending full investigation.

What is the PRIMARY risk?

1. Encryption weakness
2. Vendor inefficiency
3. Regulatory noncompliance and penalties
4. Monitoring delay

Question 10

After recovery, no additional monitoring is implemented.

What is the PRIMARY weakness?

1. Failure to validate eradication success
2. Reduced automation
3. Encryption deficiency
4. Vendor oversight

Question 11

A DRP has not been updated after major cloud migration.

What is the MOST significant risk?

1. Reduced automation
2. Vendor inefficiency
3. Encryption gap
4. Recovery procedures no longer reflect infrastructure reality

Question 12

An organization conducts annual exercises using the same scenario.

What is the PRIMARY issue?

1. Encryption deficiency
2. Limited preparedness for diverse threat landscape
3. Vendor oversight
4. Monitoring delay

Question 13

Investigation concludes quickly without assessing third-party involvement.

What is the PRIMARY risk?

1. Encryption weakness
2. Vendor inefficiency
3. Incomplete scope determination
4. Reduced automation

Question 14

A BCP focuses only on IT system restoration.

What is the PRIMARY misunderstanding?

1. Confusion between business continuity and disaster recovery
2. Encryption gap
3. Vendor oversight
4. Reduced automation

Question 15

Containment actions are undocumented.

What is the MOST significant issue?

1. Encryption deficiency
2. Monitoring delay
3. Vendor oversight
4. Reduced governance traceability and defensibility

Question 16

After an incident, remediation actions are identified but not assigned.

What is the PRIMARY weakness?

1. Encryption gap
2. Lack of accountability for corrective measures
3. Vendor inefficiency
4. Reduced automation

Question 17

An organization restores from backups but does not validate integrity.

What is the PRIMARY risk?

1. Encryption deficiency
2. Vendor oversight
3. Reintroduction of compromised systems
4. Monitoring delay

Question 18

Incident communication occurs through informal messaging tools.

What is the MOST significant governance concern?

1. Lack of centralized documentation and control
2. Encryption gap
3. Vendor inefficiency
4. Reduced automation

Question 19

Incident classification criteria are undefined.

What is the PRIMARY risk?

1. Encryption weakness
2. Reduced automation
3. Vendor inefficiency
4. Inconsistent escalation and reporting

Question 20

Root cause analysis identifies patching failures, but no policy updates occur.

What is the PRIMARY governance gap?

1. Reduced automation
2. Failure to integrate lessons learned
3. Encryption deficiency
4. Vendor oversight

Question 21

A major breach is resolved but not reported to the board.

What is the PRIMARY concern?

1. Lack of governance transparency
2. Encryption weakness
3. Vendor inefficiency
4. Monitoring delay

Question 22

Incident tools are purchased but not integrated with case management processes.

What is the PRIMARY weakness?

1. Reduced automation
2. Vendor oversight
3. Encryption deficiency
4. Tool capability without governance alignment

Question 23

A severe breach is fully contained, but no post-incident review occurs.

What is the MOST significant risk?

1. Encryption gap
2. Vendor inefficiency
3. Lost opportunity to improve program resilience
4. Reduced automation

Question 24

An organization lacks a documented IRP but has strong technical staff.

What is the PRIMARY governance issue?

1. Encryption deficiency
2. Absence of structured escalation and accountability
3. Vendor oversight
4. Monitoring delay

Question 25

A mature incident management program should demonstrate:

1. Integrated readiness, disciplined execution, and continuous improvement
2. Advanced forensic tools
3. Daily vulnerability scans
4. Vendor certifications