A. Preventive: A SIEM does not stop an incident from occurring. It reports on events, rather than blocking malicious actions like a firewall would.

B. Deterrent: While the knowledge of robust monitoring might discourage some attackers, a SIEM's primary function is not deterrence but detection of activities.

D. Corrective: A SIEM does not fix issues or restore systems. It provides the necessary information to trigger a corrective response, which is a separate function.

---

1. ISACA, CISM Review Manual, 15th Edition. Domain 3: Information Security Program Development and Management. The manual defines detective controls as those "designed to detect and report that an error, omission or malicious act has occurred." SIEM systems are consistently categorized under this function as they are a primary tool for monitoring and detecting security events. (Specific reference: Chapter 3, Section on "Security Control Types and Functions").

2. NIST Special Publication 800-92, Guide to Computer Security Log Management. Section 2.3, "Log Management Infrastructure," describes the functions of log management tools, including SIEMs. The entire process of collecting, centralizing, and analyzing logs is presented as a mechanism for identifying security incidents, which is the definition of a detective control.

3. Tounsi, W., & Rais, H. (2018). A survey on technical threat intelligence in the age of big data. Computers & Security, 72, 212-233. This peer-reviewed article discusses SIEM as a core technology for threat detection, stating, "SIEMs are used to provide a holistic view of the IT security by collecting and correlating logs from different sources to detect security threats." This aligns directly with the function of a detective control. (DOI: https://doi.org/10.1016/j.cose.2017.09.001, Section 3.1).

A. Incident management procedures: These provide the step-by-step instructions for how to escalate, but not the strategic criteria for when to escalate based on business impact.

B. Incident management policy: This is a high-level document that mandates an incident management program and escalation but lacks the specific risk details for decision-making.

C. System risk assessment: This is too narrow in scope, as it focuses on a single system's risks, whereas a major incident may have a broader organizational impact.

1. ISACA, CISM Review Manual, 15th Edition. Part 3: Information Security Program Development and Management, Section 2.9 Risk Management. The manual explains that the risk register is a tool for managing and communicating the organization's risk portfolio. Senior management uses this to understand the most significant threats to business objectives, making it the logical reference for determining if an incident's impact warrants their attention.

2. ISACA, CRISC Review Manual, 6th Edition. Chapter 2: IT Risk Assessment. This manual details that the risk register is the primary output of the risk identification and analysis process. It states, "The risk register provides a central repository for all identified risks... It is used to support decisions on risk response," which includes escalating an active incident that actualizes a documented risk.

3. Parker, D. B. (2014). Information Security Management Handbook, 6th Edition, Volume 7. Auerbach Publications. Chapter 5, "Information Security Governance," discusses how the risk register is a key communication tool between security functions and executive management. It translates technical issues into business impact terms, which is essential for effective escalation and executive decision-making. (This is a widely used academic and professional text in the field).

A. Security budget: The budget is an outcome or a constraint of the security strategy and risk appetite, not a primary input for defining it.

B. Risk register: This is a tactical document used to manage identified risks in alignment with the already established risk appetite, not to determine it.

C. Risk score: A risk score is a metric for a specific risk, used for prioritization and treatment decisions after the risk appetite has been set.

1. ISACA, CISM Review Manual, 15th Edition. Domain 1: Information Security Governance, Section 1.2.3, "Legal and Regulatory Requirements." The manual emphasizes that legal, regulatory, and contractual requirements are key drivers for the information security strategy. The strategy, which includes defining risk appetite, must ensure compliance, making these requirements a fundamental input.

2. NIST Special Publication 800-39, "Managing Information Security Risk: Organization, Mission, and Information System View." Section 2.2, "Risk Framing," page 13. This section lists "laws, directives, regulations, policies, standards, and guidelines" as essential inputs for establishing the risk context and framing risk, which includes determining risk appetite and tolerance.

3. ISACA, COBIT 2019 Framework: Governance and Management Objectives. APO12 "Manage Risk," page 121. The framework lists "External compliance requirements" as a key input for the process of defining and maintaining a risk profile, which includes establishing the organization's risk appetite.

A. Wipe the affected system. This is a premature eradication step that would destroy valuable forensic evidence needed for investigation and should only occur after containment.

B. Notify internal legal counsel. While a necessary step in the incident response process, immediate technical containment to prevent further spread takes precedence over notification.

C. Notify senior management. Communication with leadership is crucial for awareness and resource allocation, but it follows the initial technical action of containing the threat.

1. NIST Special Publication 800-61 Rev. 2, Computer Security Incident Handling Guide. Section 3.3, "Containment, Eradication, & Recovery," states, "Containment is the first step in this phase... Containment is important before an incident overwhelms resources or increases damage." The document lists disconnecting the affected host from the network as a primary containment strategy (p. 23).

2. Cichonski, P., Millar, T., Grance, T., & Scarfone, K. (2012). NIST Special Publication 800-61 Rev. 2, Computer Security Incident Handling Guide. National Institute of Standards and Technology. This is the full citation for the above reference, which is a foundational document for the principles tested in the CISM exam.

3. Tounsi, W., & Frikha, H. (2018). "A new taxonomy for security incident response plan." Computers & Security, 74, 169-191. This academic paper reviews various incident response models, consistently identifying "Containment" as the immediate phase following "Detection and Analysis" to limit the extent of an incident. (DOI: https://doi.org/10.1016/j.cose.2017.12.007)

B. Review vulnerability assessment: This is a proactive measure to identify weaknesses or a post-incident activity for lessons learned, not the immediate action during an attack.

C. Conduct a security audit: An audit is a formal, systematic review of controls and compliance, which is inappropriate as an immediate response to an active incident.

D. Isolate the system: While system isolation is a critical containment strategy, it is a component of the overall incident response process, not the best first step. The IR plan dictates when and how to isolate.

1. NIST Special Publication 800-61 Rev. 2, Computer Security Incident Handling Guide. Section 3.2, "Incident Response Lifecycle," outlines the major phases of incident response. The discovery of an attack triggers the "Detection & Analysis" phase, which is the formal start of the response process. This process then guides subsequent actions, including "Containment, Eradication, & Recovery" (Section 3.3), where actions like isolating a system are considered as part of a broader strategy.

2. Tøndel, I. A., Line, M. B., & Gjøsæter, T. (2012). Towards a structured cyber security incident response process. This paper emphasizes the importance of a structured, pre-planned process over ad-hoc actions. It states, "A structured process for incident response is important to ensure that incidents are handled efficiently and that all necessary steps are taken." Initiating the formal process (A) aligns with this principle, whereas taking a single tactical step (D) would be an ad-hoc action. (Available via SINTEF academic archive and other academic databases).

3. University of California, Berkeley, Information Security Office Documentation. In their "Incident Response Plan," the first step after detection and reporting is "Triage & Analysis," which involves activating the incident response team and beginning a coordinated investigation. This aligns with "Initiate incident response" as the primary, overarching action. The plan specifies that containment strategies (like isolation) are determined during this coordinated response.

A. While statistical reports will lack crucial context and be less meaningful without severity data, this is a secondary consequence compared to the immediate failure of the response process.

B. Overall service desk staffing is primarily based on incident volume, not severity. While severity affects the allocation of specialized skills, it is not the main driver for total staff numbers.

D. Detection is the process of identifying a potential security event. Classification and severity assignment occur after an event has been detected; therefore, a lack of criteria does not make detection impossible.

1. ISACA, CISM Review Manual, 15th Edition. Domain 4: Information Security Incident Management. Section 4.3, "Incident Response Plan," emphasizes that an incident response plan must include procedures for classifying incidents. This classification is what drives the appropriate response, including prioritization and escalation, ensuring that incidents are handled by the correct personnel in a timely manner. The absence of severity criteria directly undermines this core function.

2. National Institute of Standards and Technology (NIST), Special Publication (SP) 800-61 Rev. 2, "Computer Security Incident Handling Guide." Section 2.3.2, "Incident Categorization," states, "Incidents should be categorized... This is important for prioritization; for example, a worm that is spreading rapidly and causing a denial of service should be handled before a minor malware incident on a single host." This prioritization is the direct input for escalation procedures.

3. Von Solms, R., & van Niekerk, J. (2013). From information security to cyber security. Computers & Security, 38, 97-102. This academic publication discusses the evolution of information security management. It implicitly supports the need for structured response mechanisms, where classification and severity assessment are critical for triggering appropriate actions, including escalation, to manage cyber threats effectively. (https://doi.org/10.1016/j.cose.2013.04.004)

B. This is the broader, strategic objective of the entire information security program, not the specific, immediate reason for conducting one particular test.

C. While poor test results can be used to justify budget requests, the primary purpose of the test is to improve security, not to secure funding.

D. A social engineering test assesses user behavior and compliance with policies, but it is not the primary tool for creating or improving the policy document itself.

---

1. ISACA, CISM Review Manual, 15th Edition. Domain 3: Information Security Program Development and Management, Task Statement B2.3: "Establish and maintain information security awareness and training programs to promote a secure environment and an effective security culture." The manual explains that testing methods, such as phishing simulations (a form of social engineering), are used to measure the effectiveness of awareness programs and identify areas needing improvement, which directly translates to identifying candidates for further training.

2. Mouton, F., Leenen, L., & Venter, H. S. (2016). Social engineering attack detection model: A literature review. Computers & Security, 59, 1-18. In Section 4, "Mitigation of SE Attacks," the paper emphasizes that user education and awareness programs are a primary defense. It states, "The aim of an awareness program is to influence the behaviour of users... Testing and measuring the effectiveness of the program is essential." This supports the concept that testing is done to find behavioral flaws that need to be corrected through training. (https://doi.org/10.1016/j.cose.2016.02.005)

3. National Institute of Standards and Technology (NIST) Special Publication 800-53, Revision 5. (2020). Security and Privacy Controls for Information Systems and Organizations. Control: AT-2, "Security Awareness Training." The discussion section for this control notes that organizations can "employ assessments (e.g., social engineering exercises to test the awareness of users) to determine the effectiveness of security awareness training." This explicitly links social engineering exercises to assessing training effectiveness and, by extension, identifying where more training is needed.

A. Reviewing before implementation is a detective control that occurs too late in the lifecycle; fixing fundamental design flaws at this stage is costly and can cause significant project delays.

C. Performing a vulnerability analysis is a specific technical assessment, not a comprehensive approach to ensure alignment with all aspects of an information security policy, which includes more than just technical flaws.

D. Periodically auditing the application is a post-implementation activity. It is essential for ongoing assurance but is reactive and does not ensure initial compliance is built in from the start.

1. ISACA, CISM Review Manual, 15th Edition. Chapter 3, Information Security Program Development and Management, p. 168. The manual states, "Security should be an integral part of every stage of the SDLC... The cost of correcting a security flaw or adding a security feature increases exponentially the later it is found in the SDLC." This supports integrating security during development (Option B) as the most cost-effective and best approach.

2. National Institute of Standards and Technology (NIST), Special Publication (SP) 800-218, Secure Software Development Framework (SSDF) Version 1.1, February 3, 2022. Practice PW.1: "Design Software to Meet Security Requirements and Mitigate Security Risks." This practice emphasizes that "security requirements should be taken into account during software design, and the design should be reviewed and approved before development begins." This directly supports building security in during the earliest feasible stages, which includes development.

3. Mougouei, D., Sani, N. F. M., & Al-Fahim, N. H. (2017). A review of security by design in the software development lifecycle. International Journal of Applied Engineering Research, 12(17), 6466-6472. This academic review reinforces the concept, stating, "Security by design is a new approach that recommends security decisions to be incorporated in the early stages of the software development life cycle (SDLC) to minimize vulnerabilities in the software." This highlights the superiority of early integration over late-stage reviews or post-implementation audits.

A. Provide regular updates about the current state of the risks.

This is a reporting activity. While it increases visibility of the problem, it does not solve the underlying issue of why risks are not being treated.

B. Re-perform risk analysis at regular intervals.

The problem is not with the identification or analysis of risks, but with the lack of action after analysis. Re-performing analysis is inefficient and does not address the treatment bottleneck.

D. Create mitigating controls to manage the risks.

This is a risk treatment option itself. However, the question implies this step is not happening. Assigning an owner is the prerequisite to ensure someone is accountable for creating and implementing controls.

---

1. ISACA, CISM Review Manual, 15th Edition. In Domain 2: Information Risk Management, the concept of risk ownership is central to effective risk treatment. The manual states, "Risk ownership is a key concept in information risk management... The risk owner is an individual accountable for the identification, assessment, treatment and monitoring of risks in a specific area." (p. 111). This establishes that accountability through ownership is essential for the treatment phase.

2. National Institute of Standards and Technology (NIST), Special Publication (SP) 800-39, Managing Information Security Risk. This foundational document on risk management emphasizes that the process requires clear roles and responsibilities. The risk response step, which includes treatment, "provides a consistent, organization-wide, response to risk." (Section 2.3, p. 15). Such a response cannot be executed without an accountable party (i.e., a risk owner) to make decisions and direct action.

3. ISACA, COBIT 2019 Framework: Governance and Management Objectives. The framework's process APO12 Manage Risk requires clear accountability structures. Practice APO12.05 Maintain a risk profile includes identifying risk owners as a key activity. Without an owner, the subsequent practice APO12.06 Articulate risk and APO12.07 Define a risk management action portfolio cannot be effectively executed, leading to the exact problem described in the scenario. (pp. 108-109).

A. Confidentiality is achieved by encrypting the entire message content, which is a separate process from applying a digital signature.

C. A digital signature is a detective control; it can identify that a modification has occurred but has no capability to automatically correct it.

D. A digital signature is a detective, not a preventive, control. It cannot stop a message from being intercepted and modified in transit.

1. ISACA, CISM Review Manual, 15th Edition. Domain 3: Information Security Program Development and Management. The manual explains cryptographic controls, stating that digital signatures are used to provide integrity, authentication, and non-repudiation, distinguishing this from encryption which provides confidentiality.

2. National Institute of Standards and Technology (NIST). (2013). FIPS PUB 186-4, Digital Signature Standard (DSS). Page 1, Section 1, Introduction. The standard states, "Digital signatures are used to detect unauthorized modifications to data and to authenticate the identity of the signatory. In addition, the recipient of signed data can present the data and its signature to a third party to prove that the signature was generated by the claimed signatory. This is known as non-repudiation... In summary, the use of a digital signature provides data integrity and source authentication."

3. Kurose, J. F., & Ross, K. W. (2017). Computer Networking: A Top-Down Approach (7th ed.). Pearson. Chapter 8, "Security in Computer Networks." Section 8.3, "Principles of Cryptography," explains that digital signatures, created by encrypting a message digest with a private key, allow a recipient to verify that the message is un-altered (integrity) and from the claimed sender (authenticity).