Domain 4: Incident Management Review — 46 of 47

Domain 4 – Section B Review: Incident Management Operations

CISM Domain 4 — Incident Management Section B Review 15–20 min

This section integrates:

  • Tools and Techniques
  • Investigation and Evaluation
  • Containment
  • Communications
  • Eradication and Recovery
  • Post-Incident Review

CISM evaluates whether you can manage incidents in a structured, legally defensible, and business-aligned manner.

Section B Review

1. Tools Support Governance

Incident tools must:

  • Align with risk profile
  • Be integrated and manageable
  • Preserve evidence
  • Support centralized documentation
  • Enable structured escalation

Tools do not replace process.

2. Investigation Determines Truth

Investigation must:

  • Define scope
  • Preserve evidence
  • Identify root cause
  • Assess business impact
  • Document findings

Containment without investigation creates recurrence risk.

3. Containment Must Be Proportional

Containment should:

  • Limit damage quickly
  • Protect critical assets
  • Preserve evidence
  • Reflect severity classification
  • Consider business impact

Overreaction can create greater operational harm.

4. Communication Must Be Structured

Incident communications must:

  • Follow escalation tiers
  • Involve legal where required
  • Meet regulatory deadlines
  • Be centrally controlled
  • Be documented

Informal communication creates liability.

5. Eradication and Recovery Require Validation

Recovery must:

  • Address root cause
  • Align with BIA-defined priorities
  • Validate system integrity
  • Increase monitoring temporarily
  • Confirm control effectiveness

Restoration is not closure.

6. Post-Incident Review Closes the Loop

Every incident should:

  • Confirm root cause
  • Evaluate response effectiveness
  • Identify control gaps
  • Assign remediation
  • Update policies and procedures

Improvement defines maturity.

Section B – Practice Questions

Question 1

During containment, affected systems are wiped before evidence collection.

What is the PRIMARY risk?

  1. Encryption weakness
  2. Vendor inefficiency
  3. Loss of legal defensibility
  4. Reduced automation
Answer & Explanation

Correct Answer: C

Evidence must be preserved before remediation.

Question 2

A breach is detected but not entered into the incident management system.

What is the MOST significant issue?

  1. Breakdown in documentation and governance tracking
  2. Encryption gap
  3. Vendor inefficiency
  4. Monitoring delay
Answer & Explanation

Correct Answer: A

All incidents must be formally documented.

Question 3

A severe incident is not escalated because investigation is incomplete.

What is the PRIMARY governance failure?

  1. Encryption deficiency
  2. Reduced automation
  3. Vendor oversight
  4. Failure to follow predefined escalation criteria
Answer & Explanation

Correct Answer: D

Escalation should follow severity thresholds, not investigation completion.

Question 4

Systems are restored without resetting compromised credentials.

What is the MOST significant risk?

  1. Encryption gap
  2. Continued unauthorized access
  3. Vendor inefficiency
  4. Reduced automation
Answer & Explanation

Correct Answer: B

Credential reset is essential during eradication.

Question 5

An organization deploys new tools during an active incident without training staff.

What is the PRIMARY weakness?

  1. Reduced automation
  2. Encryption gap
  3. Tool deployment without operational readiness
  4. Vendor inefficiency
Answer & Explanation

Correct Answer: C

Tools must align with capability maturity.

Question 6

After containment, root cause analysis is not performed.

What is the PRIMARY risk?

  1. Incident recurrence due to unresolved vulnerability
  2. Encryption weakness
  3. Vendor inefficiency
  4. Monitoring delay
Answer & Explanation

Correct Answer: A

Root cause must be addressed to prevent recurrence.

Question 7

Regulatory notification deadlines are missed due to delayed communication.

What is the MOST significant governance breakdown?

  1. Encryption deficiency
  2. Reduced automation
  3. Vendor oversight
  4. Failure to follow communication escalation procedures
Answer & Explanation

Correct Answer: D

Timely communication is mandatory for compliance.

Question 8

Post-incident findings identify ineffective monitoring, but no changes are implemented.

What is the PRIMARY weakness?

  1. Encryption gap
  2. Failure to integrate lessons learned into program improvement
  3. Vendor inefficiency
  4. Monitoring delay
Answer & Explanation

Correct Answer: B

Governance maturity requires improvement tracking.

Question 9

Containment actions significantly disrupt critical business operations.

What principle was MOST likely ignored?

  1. Automation discipline
  2. Vendor governance
  3. Proportional containment aligned with business impact
  4. Monitoring frequency
Answer & Explanation

Correct Answer: C

Containment must balance urgency with operational impact.

Question 10

After recovery, increased monitoring is not implemented.

What is the PRIMARY risk?

  1. Failure to validate eradication success
  2. Encryption deficiency
  3. Vendor oversight
  4. Reduced automation
Answer & Explanation

Correct Answer: A

Post-recovery monitoring confirms successful remediation.

Section B Pattern Summary

In Domain 4 Section B:

  • Tools enable structured response.
  • Investigation determines scope and impact.
  • Containment must be proportional.
  • Communication must follow escalation rules.
  • Eradication must address root cause.
  • Recovery must be validated.
  • Post-incident review drives improvement.

CISM rewards disciplined execution — not reactive urgency.

Up Next Capstone Review: INCIDENT MANAGEMENT