ISC2-SSCP Domain 4: Incident Response and Recovery Welcome to your ISC2-SSCP Domain 4: Incident Response and Recovery 1. SSCP: Incident Response and Recovery In the context of incident response, which of the following best describes the purpose of a post-incident review? A. To assign blame for the incident. B. To document the incident and response for legal compliance. C. To evaluate the incident response process and improve future responses. D. To calculate the financial impact of the incident. None 2. SSCP: Incident Response and Recovery Which of the following is a primary objective when establishing communication protocols during an incident response plan? A. Ensuring that the media receives timely updates. B. Facilitating clear and secure communication among team members. C. Notifying all employees about the incident immediately. D. Communicating with external stakeholders before internal teams. None 3. SSCP: Incident Response and Recovery When analyzing indicators of compromise (IoCs) in incident response, which of the following best facilitates the identification of a sophisticated, multi-stage attack? A. Timestamps of detected malware. B. Patterns of network traffic to known bad IPs. C. Correlation of disparate security alerts. D. Frequency of failed login attempts. None 4. SSCP: Incident Response and Recovery Which component is essential to include in an incident response plan for it to be effective in a cloud computing environment? A. Specific cloud service provider (CSP) contact information. B. A list of physical server locations. C. Traditional on-premises network monitoring tools. D. A detailed inventory of physical devices. None 5. SSCP: Incident Response and Recovery During an incident response, why is it important to maintain a chain of custody for all digital evidence? A. To ensure the evidence can be used in disciplinary actions against employees. B. To comply with international data protection laws. C. To validate the integrity and authenticity of the evidence for potential legal proceedings. D. To facilitate the rapid recovery of affected systems. None 6. SSCP: Incident Response and Recovery In the initial phase of an incident response, which action is MOST critical for limiting the scope and impact of the incident? A. Disconnecting the entire network from the internet. B. Isolating affected systems from the network. C. Immediately notifying all employees about the incident. D. Deleting all suspected malicious files. None 7. SSCP: Incident Response and Recovery What is the PRIMARY reason for incorporating lessons learned into an incident response plan? A. To meet regulatory compliance requirements. B. To improve the plan based on practical experience. C. To allocate blame for security breaches. D. To increase the cybersecurity budget. None 8. SSCP: Incident Response and Recovery Which of the following best describes the role of threat intelligence in incident response? A. Providing legal advice on how to prosecute attackers. B. Offering a real-time feed of antivirus updates. C. Enhancing the understanding of threats and guiding response actions. D. Replacing the need for traditional security monitoring tools. None 9. SSCP: Incident Response and Recovery In incident response, what is the PRIMARY purpose of defining escalation paths? A. To determine the financial impact of incidents. B. To ensure incidents are communicated to law enforcement. C. To facilitate timely decision-making and response by the appropriate personnel. D. To document incidents for insurance claims. None 10. SSCP: Incident Response and Recovery Why is it important for incident response plans to include procedures for dealing with distributed denial of service (DDoS) attacks specifically? A. DDoS attacks are easy to mitigate with standard security controls. B. DDoS attacks can serve as a distraction from more serious security breaches. C. DDoS attacks primarily affect the physical security of an organization. D. DDoS attacks are legally protected forms of protest. None 11. SSCP: Incident Response and Recovery What is the PRIMARY goal of incorporating a tabletop exercise into an incident response plan? A. To physically test the technical capabilities of the incident response team. B. To assess the team's ability to communicate with external media outlets. C. To validate the effectiveness and completeness of the plan through simulated scenarios. D. To ensure all employees understand the technical details of potential incidents. None 12. SSCP: Incident Response and Recovery In incident response, which of the following best describes the function of a "kill chain" model? A. A process for prioritizing incidents based on their potential impact. B. A framework for analyzing and disrupting the progression of cyber attacks. C. A method for determining the financial damages caused by security incidents. D. A strategy for deploying antivirus software across an enterprise network. None 13. SSCP: Incident Response and Recovery Which of the following is an essential component of a digital forensics toolkit in the context of incident response? A. A database of common passwords for decrypting encrypted files. B. Tools for secure and verifiable evidence collection and analysis. C. A list of contacts at competing organizations for information sharing. D. Software for automatically patching vulnerabilities in real time. None 14. SSCP: Incident Response and Recovery During an incident response, why is it critical to perform a root cause analysis (RC A. A) To identify the personnel responsible for the breach. B. To document the incident for insurance purposes. C. To understand the underlying issues that allowed the incident to occur. D. To determine the immediate steps for system recovery. None 15. SSCP: Incident Response and Recovery What is the significance of "time to detection" 'TTD' in the context of incident response? A. It measures the efficiency of the backup and recovery process. B. It indicates the time taken to detect a security incident from its initiation. C. It calculates the total downtime caused by an incident. D. It assesses the time required to notify stakeholders about an incident. None 16. SSCP: Incident Response and Recovery Why is it important for an incident response plan to include a process for legal review before public disclosure of a breach? A. To ensure compliance with global advertising standards. B. To minimize the impact on the organization's stock price. C. To prevent unnecessary technical details from being disclosed. D. To comply with data protection laws and regulatory requirements. None 17. SSCP: Incident Response and Recovery In incident response, what is the purpose of defining "severity levels" for incidents? A. To establish a schedule for regular security audits. B. To dictate the frequency of security awareness training. C. To prioritize incident handling based on impact and urgency. D. To determine the compensation for affected customers or clients. None 18. SSCP: Incident Response and Recovery What is the role of a "playbook" in incident response? A. To provide a set of predefined responses to common security incidents. B. To outline the annual budget for the cybersecurity department. C. To document the personal contact information of all employees. D. To serve as a legal contract between the incident response team and external vendors. None 19. SSCP: Incident Response and Recovery How does the implementation of an Incident Response (IR) retainer service benefit an organization? A. It guarantees a fixed response time for any security incident. B. It eliminates the need for an internal incident response team. C. It provides a discount on cybersecurity insurance premiums. D. It ensures continuous monitoring of the organization's network. None 20. SSCP: Incident Response and Recovery Why is it critical to integrate threat hunting activities into the incident response process? A. To satisfy audit requirements and compliance standards. B. To identify and mitigate threats before they cause significant damage. C. To allocate IT budget more efficiently. D. To provide training opportunities for new IT staff. None 1 out of 20 Time is Up! Time's up
