1. Why is mission a key element of an incident response plan?
   1. The IT team mission will dictate when a CSIRT is mobilized away from their day-to-day roles.
   2. The organization's mission will dictate which actions cannot be taken.
   3. The CSIRT mission will dictate what the team's priorities are.
   4. Every CSIRT's mission is the same, so including it in the plan informs senior management of this.
2. NIST guidelines suggest that metrics are included in the incident response plan. What are these metrics there for?
   1. To measure the effectiveness of the plan
   2. To measure the severity of the incident before triggering the plan
   3. To measure the risk associated with the plan
   4. To quantify the value of the CSIRT
3. Which of the following are actions within the preparation stage of incident management?
   1. Collecting and documenting evidence
   2. Training the CSIRT on the systems and technologies in use
   3. Fixing damaged host machines
   4. Recovering data from backups
4. Which of the following CSIRTs contains staff who are directly employed by the affected organization?
   1. Internal CSIRT
   2. Analysis Center
   3. Vendor CSIRT
   4. Incident response providers
5. Who is responsible for the implementation of the incident response plan?
   1. Senior management
   2. Information assurance team
   3. IT support team
   4. Public relations team

6. At which stage of an incident are host computers restored from an image?
   1. Preparation
   2. Detection and analysis
   3. Containment, eradication, and recovery
   4. Post-incident analysis
7. Which of the following is an example of a vendor CSIRT activity?
   1. Cisco responding to a denial of service attack on cisco.com
   2. Cisco providing emergency updates for older routers
   3. Cisco briefing the media about new trends in cybersecurity
   4. Cisco providing security as a service

The following three questions are related to the following scenario.

The HQ building for HACME Bank is accessible by any HACME employee using an RFID tag inside their ID card. Users from branches can use the computers at HQ to access all the same things that they could if they were in the branch.

Recently, a previously convicted fraudster was caught by police with a list of user IDs and passwords for HACME Bank employees. The IT manager is informed and notices that a number of large transfers were made from HQ, where the member of staff who was logged in was also logged in at their branch offices, and whose ID card had not entered the HQ building on the day that the transfers were made.

8. Which of the following actions would you expect the bank to now take in the detection and analysis phase?
   1. Log out all sessions for the listed users.
   2. The incident is already verified; containment should now begin.
   3. Change all the listed users' passwords and inform their managers of the new passwords by secure communications.
   4. Change the policy that allows users to be logged in on multiple machines simultaneously.
9. Which of the following actions would you expect the bank to do in the containment, eradication, and recovery phase?
   1. Change the password rules so that passwords are less easy to guess.
   2. Change the username rules so that they are less easy to guess.
   3. Suspend all the listed users' accounts.
   4. Change the login rules at HQ so that only those users who are in the building (by ID card scan) are able to log in.

10. Which of the following does the CSIRT need to be able to answer before entering the post-incident phase?
    1. How did the fraudster acquire the information?
    2. Are the affected users' accounts now secured?
    3. How many frauds have been carried out?
    4. Can we ensure that the fraudster cannot access the HQ building again?