Effective CISSP Questions

You are the CISO at Wonderland county government. The incident response team reports to you that unknown ransomware has successfully attacked the county’s file servers and encrypted production data. As a CISO, which of the following do you think the IR team should conduct next?
A. Identify the root cause and remediate the problem
B. Prioritize the incident
C. Isolate infected machines
D. Validate if the incident is true

Wentz’s Book, The Effective CISSP: Security and Risk Management

Kindly be reminded that the suggested answer is for your reference only. It doesn’t matter whether you have the right or wrong answer. What really matters is your reasoning process and justifications.

My suggested answer is C. Isolate infected machines.

Incident Response ProcessIncident Handling Checklist

The following is a general incident response procedure:

  1. An incident should be validated to make sure it’s a genuine incident.
  2. The incident is prioritized, categorized, and documented.
  3. Related parties or stakeholders should be notified, reported, or escalated.
  4. The incident is contained.
  5. The root cause of the incident is identified, eradicated, and remediated.

Since the IR team has reported to you, as a CISO, it implies that the IR team has validated and prioritized the incident and followed the notification or escalation procedure based on the priority of the incident. So, the next step should be containing the incident or “isolating infected machines.”

There are various approaches to IR, so the approach you adopted will affect your answer. In real life, some activities are conducted in parallel. It’s good to understand different approaches, e.g., Sybex, CBK, NIST, ISACA, or other well-known sources.

Tiers of Incident Response

Since the incident may be analyzed, prioritized, and reported by tier 1 analyst, the tier 2 responder starts containing the incident after tier 1 triage. The size and organization may affect the IR procedure.

Tiers of Incident Response (Vectra)

Tiers of Incident Response (Splunk)



My new book, The Effective CISSP: Security and Risk Management, helps CISSP aspirants build a solid conceptual security model. It is not only a tutorial for information security but also a study guide for the CISSP exam and informative reference for security professionals.

Leave a Reply