Full Access Isaca CISM Tutorials

post-incident review of an information security incident is a process that aims to identify the root causes, contributing factors, and lessons learned from the incident, and to implement corrective and preventive actions to avoid or mitigate similar incidents in the future. The primary objective of a post-incident review is to prevent recurrence, as it helps to improve the security posture, awareness, and resilience of the organization. Preventing recurrence also helps to reduce the impact and cost of future incidents, as well as to enhance the reputation and trust of the organization. Updating the risk profile, minimizing impact, and determining the impact are not the primary objectives of a post-incident review, although they may be part of its outcomes or outputs. References = CISM Review Manual, 16th Edition, page 1011

According to the CISM Manual, the organization’s risk appetite is the amount and type of risk that the organization is willing to accept in order to achieve its objectives1. The organization’s risk appetite should guide the development and maintenance of an information security program, as it determines the level of security controls, resources, and activities that are needed to protect the organization’s assets and operations1.

The CISM Manual states that “the information security program should be aligned with the organization’s risk appetite, which reflects its tolerance for risk and its strategic objectives” (IR 8288A)1. The information security program should also consider other factors that influence the organization’s risk appetite, such as its mission, vision, values, culture, stakeholders, regulations, standards, guidelines, and best practices1.

The CISM Manual also provides guidance on how to develop and maintain an information security program based on the organization’s risk appetite. It recommends using a process that involves identifying, analyzing, evaluating, treating, monitoring, and reviewing risks that affect the organization’s information assets1. It also suggests using a framework or model that supports the development of an information security program based on the organization’s risk appetite (e.g., ISO/IEC 27001)1.

Initiating incident response is the best course of action after a server has been attacked because it activates the incident response plan or process, which defines the roles and responsibilities, procedures and protocols, tools and techniques for responding to and managing a security incident effectively and efficiently. Reviewing vulnerability assessment is not a good course of action because it does not address the current attack or its impact, but rather evaluates the potential weaknesses or exposures of the server. Conducting a security audit is not a good course of action because it does not address the current attack or its impact, but rather verifies and validates the compliance or performance of the server’s security controls or systems. Isolating the system is not a good course of action because it does not address the current attack or its impact, but rather stops or limits any communication or interaction with the server. References: