Free CISM Exam Questions – 2025 Updated

A. Preventive: A SIEM does not stop an incident from occurring. It reports on events, rather than blocking malicious actions like a firewall would.

B. Deterrent: While the knowledge of robust monitoring might discourage some attackers, a SIEM's primary function is not deterrence but detection of activities.

D. Corrective: A SIEM does not fix issues or restore systems. It provides the necessary information to trigger a corrective response, which is a separate function.

---

1. ISACA, CISM Review Manual, 15th Edition. Domain 3: Information Security Program Development and Management. The manual defines detective controls as those "designed to detect and report that an error, omission or malicious act has occurred." SIEM systems are consistently categorized under this function as they are a primary tool for monitoring and detecting security events. (Specific reference: Chapter 3, Section on "Security Control Types and Functions").

2. NIST Special Publication 800-92, Guide to Computer Security Log Management. Section 2.3, "Log Management Infrastructure," describes the functions of log management tools, including SIEMs. The entire process of collecting, centralizing, and analyzing logs is presented as a mechanism for identifying security incidents, which is the definition of a detective control.

3. Tounsi, W., & Rais, H. (2018). A survey on technical threat intelligence in the age of big data. Computers & Security, 72, 212-233. This peer-reviewed article discusses SIEM as a core technology for threat detection, stating, "SIEMs are used to provide a holistic view of the IT security by collecting and correlating logs from different sources to detect security threats." This aligns directly with the function of a detective control. (DOI: https://doi.org/10.1016/j.cose.2017.09.001, Section 3.1).

A. Incident management procedures: These provide the step-by-step instructions for how to escalate, but not the strategic criteria for when to escalate based on business impact.

B. Incident management policy: This is a high-level document that mandates an incident management program and escalation but lacks the specific risk details for decision-making.

C. System risk assessment: This is too narrow in scope, as it focuses on a single system's risks, whereas a major incident may have a broader organizational impact.

1. ISACA, CISM Review Manual, 15th Edition. Part 3: Information Security Program Development and Management, Section 2.9 Risk Management. The manual explains that the risk register is a tool for managing and communicating the organization's risk portfolio. Senior management uses this to understand the most significant threats to business objectives, making it the logical reference for determining if an incident's impact warrants their attention.

2. ISACA, CRISC Review Manual, 6th Edition. Chapter 2: IT Risk Assessment. This manual details that the risk register is the primary output of the risk identification and analysis process. It states, "The risk register provides a central repository for all identified risks... It is used to support decisions on risk response," which includes escalating an active incident that actualizes a documented risk.

3. Parker, D. B. (2014). Information Security Management Handbook, 6th Edition, Volume 7. Auerbach Publications. Chapter 5, "Information Security Governance," discusses how the risk register is a key communication tool between security functions and executive management. It translates technical issues into business impact terms, which is essential for effective escalation and executive decision-making. (This is a widely used academic and professional text in the field).

A. Security budget: The budget is an outcome or a constraint of the security strategy and risk appetite, not a primary input for defining it.

B. Risk register: This is a tactical document used to manage identified risks in alignment with the already established risk appetite, not to determine it.

C. Risk score: A risk score is a metric for a specific risk, used for prioritization and treatment decisions after the risk appetite has been set.

1. ISACA, CISM Review Manual, 15th Edition. Domain 1: Information Security Governance, Section 1.2.3, "Legal and Regulatory Requirements." The manual emphasizes that legal, regulatory, and contractual requirements are key drivers for the information security strategy. The strategy, which includes defining risk appetite, must ensure compliance, making these requirements a fundamental input.

2. NIST Special Publication 800-39, "Managing Information Security Risk: Organization, Mission, and Information System View." Section 2.2, "Risk Framing," page 13. This section lists "laws, directives, regulations, policies, standards, and guidelines" as essential inputs for establishing the risk context and framing risk, which includes determining risk appetite and tolerance.

3. ISACA, COBIT 2019 Framework: Governance and Management Objectives. APO12 "Manage Risk," page 121. The framework lists "External compliance requirements" as a key input for the process of defining and maintaining a risk profile, which includes establishing the organization's risk appetite.

A. Wipe the affected system. This is a premature eradication step that would destroy valuable forensic evidence needed for investigation and should only occur after containment.

B. Notify internal legal counsel. While a necessary step in the incident response process, immediate technical containment to prevent further spread takes precedence over notification.

C. Notify senior management. Communication with leadership is crucial for awareness and resource allocation, but it follows the initial technical action of containing the threat.

1. NIST Special Publication 800-61 Rev. 2, Computer Security Incident Handling Guide. Section 3.3, "Containment, Eradication, & Recovery," states, "Containment is the first step in this phase... Containment is important before an incident overwhelms resources or increases damage." The document lists disconnecting the affected host from the network as a primary containment strategy (p. 23).

2. Cichonski, P., Millar, T., Grance, T., & Scarfone, K. (2012). NIST Special Publication 800-61 Rev. 2, Computer Security Incident Handling Guide. National Institute of Standards and Technology. This is the full citation for the above reference, which is a foundational document for the principles tested in the CISM exam.

3. Tounsi, W., & Frikha, H. (2018). "A new taxonomy for security incident response plan." Computers & Security, 74, 169-191. This academic paper reviews various incident response models, consistently identifying "Containment" as the immediate phase following "Detection and Analysis" to limit the extent of an incident. (DOI: https://doi.org/10.1016/j.cose.2017.12.007)

B. Review vulnerability assessment: This is a proactive measure to identify weaknesses or a post-incident activity for lessons learned, not the immediate action during an attack.

C. Conduct a security audit: An audit is a formal, systematic review of controls and compliance, which is inappropriate as an immediate response to an active incident.

D. Isolate the system: While system isolation is a critical containment strategy, it is a component of the overall incident response process, not the best first step. The IR plan dictates when and how to isolate.

1. NIST Special Publication 800-61 Rev. 2, Computer Security Incident Handling Guide. Section 3.2, "Incident Response Lifecycle," outlines the major phases of incident response. The discovery of an attack triggers the "Detection & Analysis" phase, which is the formal start of the response process. This process then guides subsequent actions, including "Containment, Eradication, & Recovery" (Section 3.3), where actions like isolating a system are considered as part of a broader strategy.

2. Tøndel, I. A., Line, M. B., & Gjøsæter, T. (2012). Towards a structured cyber security incident response process. This paper emphasizes the importance of a structured, pre-planned process over ad-hoc actions. It states, "A structured process for incident response is important to ensure that incidents are handled efficiently and that all necessary steps are taken." Initiating the formal process (A) aligns with this principle, whereas taking a single tactical step (D) would be an ad-hoc action. (Available via SINTEF academic archive and other academic databases).

3. University of California, Berkeley, Information Security Office Documentation. In their "Incident Response Plan," the first step after detection and reporting is "Triage & Analysis," which involves activating the incident response team and beginning a coordinated investigation. This aligns with "Initiate incident response" as the primary, overarching action. The plan specifies that containment strategies (like isolation) are determined during this coordinated response.

A. While statistical reports will lack crucial context and be less meaningful without severity data, this is a secondary consequence compared to the immediate failure of the response process.

B. Overall service desk staffing is primarily based on incident volume, not severity. While severity affects the allocation of specialized skills, it is not the main driver for total staff numbers.

D. Detection is the process of identifying a potential security event. Classification and severity assignment occur after an event has been detected; therefore, a lack of criteria does not make detection impossible.

1. ISACA, CISM Review Manual, 15th Edition. Domain 4: Information Security Incident Management. Section 4.3, "Incident Response Plan," emphasizes that an incident response plan must include procedures for classifying incidents. This classification is what drives the appropriate response, including prioritization and escalation, ensuring that incidents are handled by the correct personnel in a timely manner. The absence of severity criteria directly undermines this core function.

2. National Institute of Standards and Technology (NIST), Special Publication (SP) 800-61 Rev. 2, "Computer Security Incident Handling Guide." Section 2.3.2, "Incident Categorization," states, "Incidents should be categorized... This is important for prioritization; for example, a worm that is spreading rapidly and causing a denial of service should be handled before a minor malware incident on a single host." This prioritization is the direct input for escalation procedures.

3. Von Solms, R., & van Niekerk, J. (2013). From information security to cyber security. Computers & Security, 38, 97-102. This academic publication discusses the evolution of information security management. It implicitly supports the need for structured response mechanisms, where classification and severity assessment are critical for triggering appropriate actions, including escalation, to manage cyber threats effectively. (https://doi.org/10.1016/j.cose.2013.04.004)

B. This is the broader, strategic objective of the entire information security program, not the specific, immediate reason for conducting one particular test.

C. While poor test results can be used to justify budget requests, the primary purpose of the test is to improve security, not to secure funding.

D. A social engineering test assesses user behavior and compliance with policies, but it is not the primary tool for creating or improving the policy document itself.

---

1. ISACA, CISM Review Manual, 15th Edition. Domain 3: Information Security Program Development and Management, Task Statement B2.3: "Establish and maintain information security awareness and training programs to promote a secure environment and an effective security culture." The manual explains that testing methods, such as phishing simulations (a form of social engineering), are used to measure the effectiveness of awareness programs and identify areas needing improvement, which directly translates to identifying candidates for further training.

2. Mouton, F., Leenen, L., & Venter, H. S. (2016). Social engineering attack detection model: A literature review. Computers & Security, 59, 1-18. In Section 4, "Mitigation of SE Attacks," the paper emphasizes that user education and awareness programs are a primary defense. It states, "The aim of an awareness program is to influence the behaviour of users... Testing and measuring the effectiveness of the program is essential." This supports the concept that testing is done to find behavioral flaws that need to be corrected through training. (https://doi.org/10.1016/j.cose.2016.02.005)

3. National Institute of Standards and Technology (NIST) Special Publication 800-53, Revision 5. (2020). Security and Privacy Controls for Information Systems and Organizations. Control: AT-2, "Security Awareness Training." The discussion section for this control notes that organizations can "employ assessments (e.g., social engineering exercises to test the awareness of users) to determine the effectiveness of security awareness training." This explicitly links social engineering exercises to assessing training effectiveness and, by extension, identifying where more training is needed.

A. Reviewing before implementation is a detective control that occurs too late in the lifecycle; fixing fundamental design flaws at this stage is costly and can cause significant project delays.

C. Performing a vulnerability analysis is a specific technical assessment, not a comprehensive approach to ensure alignment with all aspects of an information security policy, which includes more than just technical flaws.

D. Periodically auditing the application is a post-implementation activity. It is essential for ongoing assurance but is reactive and does not ensure initial compliance is built in from the start.

1. ISACA, CISM Review Manual, 15th Edition. Chapter 3, Information Security Program Development and Management, p. 168. The manual states, "Security should be an integral part of every stage of the SDLC... The cost of correcting a security flaw or adding a security feature increases exponentially the later it is found in the SDLC." This supports integrating security during development (Option B) as the most cost-effective and best approach.

2. National Institute of Standards and Technology (NIST), Special Publication (SP) 800-218, Secure Software Development Framework (SSDF) Version 1.1, February 3, 2022. Practice PW.1: "Design Software to Meet Security Requirements and Mitigate Security Risks." This practice emphasizes that "security requirements should be taken into account during software design, and the design should be reviewed and approved before development begins." This directly supports building security in during the earliest feasible stages, which includes development.

3. Mougouei, D., Sani, N. F. M., & Al-Fahim, N. H. (2017). A review of security by design in the software development lifecycle. International Journal of Applied Engineering Research, 12(17), 6466-6472. This academic review reinforces the concept, stating, "Security by design is a new approach that recommends security decisions to be incorporated in the early stages of the software development life cycle (SDLC) to minimize vulnerabilities in the software." This highlights the superiority of early integration over late-stage reviews or post-implementation audits.

A. Provide regular updates about the current state of the risks.

This is a reporting activity. While it increases visibility of the problem, it does not solve the underlying issue of why risks are not being treated.

B. Re-perform risk analysis at regular intervals.

The problem is not with the identification or analysis of risks, but with the lack of action after analysis. Re-performing analysis is inefficient and does not address the treatment bottleneck.

D. Create mitigating controls to manage the risks.

This is a risk treatment option itself. However, the question implies this step is not happening. Assigning an owner is the prerequisite to ensure someone is accountable for creating and implementing controls.

---

1. ISACA, CISM Review Manual, 15th Edition. In Domain 2: Information Risk Management, the concept of risk ownership is central to effective risk treatment. The manual states, "Risk ownership is a key concept in information risk management... The risk owner is an individual accountable for the identification, assessment, treatment and monitoring of risks in a specific area." (p. 111). This establishes that accountability through ownership is essential for the treatment phase.

2. National Institute of Standards and Technology (NIST), Special Publication (SP) 800-39, Managing Information Security Risk. This foundational document on risk management emphasizes that the process requires clear roles and responsibilities. The risk response step, which includes treatment, "provides a consistent, organization-wide, response to risk." (Section 2.3, p. 15). Such a response cannot be executed without an accountable party (i.e., a risk owner) to make decisions and direct action.

3. ISACA, COBIT 2019 Framework: Governance and Management Objectives. The framework's process APO12 Manage Risk requires clear accountability structures. Practice APO12.05 Maintain a risk profile includes identifying risk owners as a key activity. Without an owner, the subsequent practice APO12.06 Articulate risk and APO12.07 Define a risk management action portfolio cannot be effectively executed, leading to the exact problem described in the scenario. (pp. 108-109).

A. Confidentiality is achieved by encrypting the entire message content, which is a separate process from applying a digital signature.

C. A digital signature is a detective control; it can identify that a modification has occurred but has no capability to automatically correct it.

D. A digital signature is a detective, not a preventive, control. It cannot stop a message from being intercepted and modified in transit.

1. ISACA, CISM Review Manual, 15th Edition. Domain 3: Information Security Program Development and Management. The manual explains cryptographic controls, stating that digital signatures are used to provide integrity, authentication, and non-repudiation, distinguishing this from encryption which provides confidentiality.

2. National Institute of Standards and Technology (NIST). (2013). FIPS PUB 186-4, Digital Signature Standard (DSS). Page 1, Section 1, Introduction. The standard states, "Digital signatures are used to detect unauthorized modifications to data and to authenticate the identity of the signatory. In addition, the recipient of signed data can present the data and its signature to a third party to prove that the signature was generated by the claimed signatory. This is known as non-repudiation... In summary, the use of a digital signature provides data integrity and source authentication."

3. Kurose, J. F., & Ross, K. W. (2017). Computer Networking: A Top-Down Approach (7th ed.). Pearson. Chapter 8, "Security in Computer Networks." Section 8.3, "Principles of Cryptography," explains that digital signatures, created by encrypting a message digest with a private key, allow a recipient to verify that the message is un-altered (integrity) and from the claimed sender (authenticity).

A. Website transactions and taxation are primarily commercial and financial legal matters, not core information security concerns.

B. Software patches are technical controls, not typically a legal issue for transborder flow, and "corporate data" is less specific than the heavily regulated category of "personal data."

D. Lack of competition and free trade fall under antitrust and international trade law, which are distinct from information security legal frameworks.

1. ISACA, CISM Review Manual, 15th Edition. Domain 1: Information Security Governance, Section 1.3.3 "Legal and Regulatory Issues." This section details the information security manager's responsibility to understand and comply with laws and regulations, specifically citing "privacy legislation" (governing personal data) and "import/export" controls, which prominently feature restrictions on cryptographic technology.

2. Svantesson, D. J. B. (2013). A new approach to extraterritoriality—A cry for help? International Data Privacy Law, 3(3), 172–182. This academic article discusses the complexities of data privacy laws like GDPR, which have extraterritorial reach, creating significant legal challenges for the "transborder flow of...personal data" (p. 172). This highlights personal data as a primary legal issue. https://doi.org/10.1093/idpl/ipt010

3. Massachusetts Institute of Technology (MIT) OpenCourseWare. 6.805/STS.085 Ethics and Law on the Electronic Frontier, Fall 2014. Lecture 15 notes on "Cryptography Policy" discuss the history and legal framework of U.S. export controls on encryption, treating it as a munition. This establishes encryption tools as a major subject of transborder legal regulation from a security perspective. (Available at MIT OCW website).

B. Addressing ineffective controls is a tactical detail within the strategy; leadership is more concerned with the overall strategic alignment and risk posture.

C. While important for due diligence, alignment with industry standards is secondary to alignment with the organization's unique business goals and risk appetite.

D. The threat environment and maturity are crucial inputs for developing the strategy, but alignment with risk appetite is the key to its acceptance by leadership.

1. ISACA, CISM Review Manual, 15th Edition. In Domain 1: Information Security Governance, Section 1.3, "Information Security Strategy," it is emphasized that the strategy must align with the goals and objectives of the business. Page 43 specifically discusses risk appetite and tolerance as a "strategic matter that must be determined by senior management," making alignment with this determination paramount for any strategy presented to them.

2. ISACA, COBIT 2019 Framework: Governance and Management Objectives. The governance objective EDM03, "Ensure Risk Optimisation," explicitly states a key practice is to "Ensure that IT-related risk does not exceed the risk appetite and risk tolerance of the enterprise." This highlights that senior leadership's primary governance function regarding risk is to operate within the defined appetite, making it the most important consideration for strategy approval.

3. National Institute of Standards and Technology (NIST), Special Publication (SP) 800-39, "Managing Information Security Risk." Section 2.2, "Risk Framing," discusses the importance of establishing risk tolerance at the senior leadership level. This "risk frame" is essential for all subsequent risk management activities, including strategy development and communication, as it sets the fundamental boundaries and priorities for the entire organization.

B. An identification of the overall threat landscape is too generic and lacks the specific business context needed to compel management action.

C. A report of a successful attack on a competitor is a reactive, fear-based tactic that does not build a case for a sustainable, strategy-driven security program.

D. An identification of organizational risks is crucial, but these risks become most meaningful and actionable to management when they are explicitly linked to the business objectives they threaten.

1. ISACA. (2022). CISM Review Manual, 16th Edition. In Domain 1: Information Security Governance, Section 1.4, "Information Security Strategy," it is established that the information security strategy must be derived from the organization's overall strategy. It states, "The primary driver for information security is the business," and emphasizes that alignment with business objectives is essential for obtaining support and resources from senior management. (p. 45).

2. ISACA. (2018). COBIT 2019 Framework: Introduction and Methodology. The core concept of the Goals Cascade, detailed in Chapter 4, illustrates that enterprise goals (driven by business strategy) cascade down to alignment goals for Information & Technology (I&T). This framework fundamentally positions the alignment with business needs as the primary driver for all governance and management objectives, including those for information security (e.g., APO13 Managed Security).

3. De Haes, S., & Van Grembergen, W. (2015). Enterprise Governance of Information Technology: Achieving Alignment and Value, Featuring COBIT 5. Springer International Publishing. In Chapter 2, "Business/IT Alignment," the authors empirically demonstrate that strategic alignment is a top concern for executives. The text explains that for IT (including security) to deliver value, its plans and objectives must be explicitly linked to business plans, which is the foundation for securing executive sponsorship and support. (pp. 21-23).

A. A risk assessment is a proactive, high-level activity; the specific root cause (human error) has already been identified and requires a direct, tactical solution.

B. The problem was not a flawed plan but a failure to follow it. Revising the entire plan is premature without evidence that the plan itself is deficient.

D. Data owners are typically business-side managers responsible for data classification and governance, not the technical handling of security alerts. Training them would not solve the issue.

1. ISACA, CISM Review Manual, 16th Edition.

Domain 3: Information Security Program Development and Management, Section 3.3.2 Roles and Responsibilities: This section defines the role of an information/data custodian as the individual or group responsible for implementing, managing, and monitoring protection mechanisms. System administrators are a primary example of this role.

Domain 4: Information Security Incident Management, Section 4.3 Incident Management Readiness: This section emphasizes that "all individuals with incident response responsibilities should be trained to ensure they can perform their duties effectively." This directly links the need for training to the roles responsible for response actions.

2. National Institute of Standards and Technology (NIST), Special Publication (SP) 800-61 Rev. 2, Computer Security Incident Handling Guide.

Section 2.5.2, Plan: States, "Training should be appropriate for each person's role." This reinforces the principle that training must be targeted to the specific responsibilities of the personnel involved, such as the system administrator (custodian) in this scenario.

3. National Institute of Standards and Technology (NIST), Special Publication (SP) 800-53 Rev. 5, Security and Privacy Controls for Information Systems and Organizations.

Control IR-2 (Incident Response Training): This control explicitly requires organizations to "Train personnel in their incident response roles and responsibilities with respect to the information system and provide refresher training." This underscores that training is a fundamental control for ensuring proper incident response execution by specific roles.

B. Risk tolerance and organizational objectives are critical inputs for aligning the security program with business needs, but they do not drive the integration itself.

C. The desired state of the organization is a strategic goal or target; it is the outcome of a process, not the primary factor influencing the success of that process.

D. Information security personnel are essential for executing the security program, but their effectiveness is ultimately enabled or constrained by the prevailing organizational culture and structure.

1. ISACA, CISM Review Manual, 15th Edition, 2016. Domain 1: Information Security Governance, Section 1.2.3, "Internal Influences." This section identifies organizational culture and structure as primary internal factors that influence the development and implementation of the information security strategy, directly impacting its integration.

2. ISACA, COBIT 2019 Framework: Introduction and Methodology, 2018. Chapter 4, "Governance System and Components," pp. 31-33. This framework lists "Organisational structures" and "Culture, ethics and behaviour" as two of the seven essential components of a governance system, stating they are required for the enterprise to achieve its governance and management objectives, which includes integrating security.

3. Da Veiga, A., & Eloff, J. H. P. (2010). A framework and assessment instrument for information security culture. Computers & Security, 29(2), 196-207. https://doi.org/10.1016/j.cose.2009.09.002. This academic paper emphasizes that an established information security culture is a prerequisite for the successful implementation and integration of security controls and policies within an organization.

A. Frequent incident response training sessions: Training builds capability and prepares staff, but it does not provide the specific, mandated communication protocols and timelines required during an actual incident.

B. Centralized control monitoring capabilities: Monitoring is essential for detecting incidents. It provides the information to be communicated but does not govern the communication process or requirements itself.

C. Responsibilities defined within role descriptions: Role descriptions are too general for the dynamic needs of incident response. Effective communication requires a specific plan, not just high-level role definitions.

1. ISACA, CISM Review Manual, 16th Edition. Domain 4: Information Security Incident Management. Section 4.3, "Incident Response Plan," emphasizes that the plan must contain clear criteria for determining the priority of an incident and the required level of management reporting. SLAs are a primary mechanism for formally documenting these criteria and reporting timelines. (Specifically, see Task Statement K4.3: "Knowledge of the processes for communicating with and reporting to internal and external stakeholders.")

2. National Institute of Standards and Technology (NIST), Special Publication (SP) 800-61 Rev. 2, "Computer Security Incident Handling Guide." Section 2.3.3, "Incident Response Policies, Plans, and Procedures," states that policies should define reporting requirements. SLAs are a formal instrument for defining these requirements, especially with external parties like customers or regulators, ensuring communication is handled according to pre-agreed standards.

3. ITIL® Foundation, ITIL 4 Edition, AXELOS (2019). Chapter 5.2.5, "Incident Management," discusses the importance of agreeing on target resolution times and communication protocols, which are formally documented in SLAs. This ensures all parties, including users and stakeholders, have clear expectations for communication during service disruptions. (While ITIL is not a CISM-specific source, its principles on incident management are foundational and align with CISM concepts, making it an appropriate academic reference in this context).

A. An information security program charter is a high-level governance document that establishes authority and scope; it does not contain operational details like contact lists.

B. A business impact analysis (BIA) is an analytical document that identifies critical processes and dependencies; it provides input for the BCP but is not the plan itself.

C. Service level agreements (SLAs) are contracts defining service expectations and may contain some contacts, but the BCP is the central, consolidated plan for all recovery-related contacts.

1. ISACA, CISM Review Manual, 15th Edition. Domain 4: Information Security Incident Management, Section 4.8 Business Continuity and Disaster Recovery. The manual details that BCPs must contain all information necessary for their execution, which includes procedures, resources, and contact lists for internal teams, emergency responders, and critical third-party vendors.

2. NIST Special Publication 800-34 Rev. 1, Contingency Planning Guide for Federal Information Systems. Appendix C, "Contingency Plan Template," explicitly includes a section for "Vendor Contact Information" as a standard and essential component of a contingency/business continuity plan.

3. Carnegie Mellon University, Software Engineering Institute, CERT Resilience Management Model (CERT-RMM) v1.2. The Service Continuity (SCON) process area emphasizes establishing and maintaining plans to ensure service continuity. The practical implementation of these plans requires having all necessary resources readily available, which includes the contact information for external dependencies such as vendors and suppliers.

B. Disaster recovery plan (DRP): This is invoked for catastrophic events that render systems or facilities inoperable and focuses on restoring IT infrastructure, not the initial malware response.

C. Business continuity plan (BCP): This is a high-level strategic plan to maintain critical business functions during a major disruption; it is triggered if the incident escalates beyond a localized event.

D. Vulnerability management plan: This is a proactive and ongoing process for identifying and remediating system weaknesses; it is not a reactive plan for handling an active infection.

1. ISACA, CISM Review Manual, 16th Edition (2022). Domain 4: Information Security Incident Management, Section 4.2, "Incident Response Plan." The manual states, "The incident response plan (IRP) consists of the procedures to be deployed in the event of an incident... The plan should be activated whenever an incident is detected." A malware infection is a primary example of such an incident.

2. National Institute of Standards and Technology (NIST). (2012). Special Publication (SP) 800-61 Rev. 2, Computer Security Incident Handling Guide. Section 2.3.1, "Incident Response Plan," specifies that the IRP provides the roadmap for responding to an incident. The document's lifecycle (Detection & Analysis, Containment, Eradication & Recovery) is the formal process that should be triggered first for events like malware infections.

3. Whitman, M. E., & Mattord, H. J. (2019). Management of Information Security (6th ed.). Cengage Learning. Chapter 6, "Planning for Contingencies," clearly distinguishes the order of activation. It explains that incident response precedes and may trigger disaster recovery. The text states, "Incident response focuses on immediate response... If the incident escalates or is disastrous, the process moves on to disaster recovery and business continuity." (p. 225).

B. Reviewing provider DRPs is a crucial due diligence activity, but it must be measured against the organization's own recovery requirements, which must be defined first.

C. Obtaining audit reports is part of the provider evaluation process, which logically follows the initial step of establishing the security requirements to be audited against.

D. Aligning roles and responsibilities occurs during the contracting and service level agreement (SLA) negotiation phase, after a provider has been evaluated and selected.

1. ISACA, CISM Review Manual, 15th Edition. In the discussion of the third-party management life cycle, the "Selection" phase explicitly includes "Defining requirements" as a key activity. This step is foundational to the subsequent evaluation of potential vendors to ensure they can meet the organization's needs. (Domain 2: Information Risk Management, Section 2.6.3, p. 103).

2. ISO/IEC 27002:2022, Information security, cybersecurity and privacy protection — Information security controls. Control 5.20, "Addressing information security in supplier agreements," states that information security requirements should be established and agreed upon with each supplier. This implies that the organization must first determine these requirements before they can be included in an agreement or used to evaluate a supplier.

3. NIST SP 800-35, Guide to Information Technology Security Services. Section 3.1, "Phase 1—Requirements Definition," outlines the first phase of acquiring security services. It states, "The first phase in the life cycle is to define the organization's IT security requirements... This phase is critical to the success of the entire process." This principle applies directly to outsourcing any IT service or application.

A. Networking with peers is a valuable threat intelligence gathering activity, but it is not a direct method for monitoring an organization's internal environment.

B. Browsing the Internet is an informal, unstructured, and unreliable method for gathering threat intelligence and is not a systematic monitoring technique.

D. APTs are specifically designed to bypass signature-based detection systems by using unknown or modified malware, making this method largely ineffective against them.

1. ISACA, CISM Review Manual, 15th Edition. Domain 3: Information Security Program Development and Management. Section on "Security Monitoring" emphasizes the need for techniques that can detect anomalous activity indicative of advanced threats, which often bypass traditional signature-based controls. While not using the exact phrase, the principles of monitoring for unusual behavior are central to detecting sophisticated attacks.

2. National Institute of Standards and Technology (NIST), Special Publication 800-61 Rev. 2, "Computer Security Incident Handling Guide." Section 3.2.3, "Signs of an Incident," discusses how difficult-to-detect incidents, such as APTs, often manifest as subtle anomalies. It states, "Some incidents are detected through other means, such as seeing anomalous activity." This highlights the importance of anomaly detection for advanced threats.

3. Ahmadi, M., Ghaemi-Bafghi, A., & Tadayon, M. H. (2016). A survey and a taxonomy on advanced persistent threats detection. 2016 4th International Conference on Control, Instrumentation, and Automation (ICCIA). DOI: 10.1109/ICCIAutom.2016.7483158. This academic paper surveys APT detection techniques, concluding that "anomaly-based detection methods are more effective than signature-based methods in detecting APT attacks" because APTs use unknown and polymorphic malware.

A. Conduct a cost-benefit analysis. This is premature. A cost-benefit analysis can only be conducted after the required changes (the gaps) and potential solutions have been identified.

B. Consult corporate legal counsel. While crucial for interpreting the regulation's legal nuances, the security manager must first understand the current technical and procedural posture to facilitate a productive discussion about the actual impact.

C. Update the information security policy. Policy updates are a result of the compliance effort, not the starting point. The policy cannot be updated accurately until the gaps are known.

1. ISACA, CISM Review Manual, 15th Edition. Domain 1: Information Security Governance, Task Statement G3 states a key task is to "Identify the gap between the current and desired states of the information security program to ensure that the enterprise’s objectives are met." The introduction of a new regulation establishes a new "desired state," making a gap analysis the primary initial action.

2. ISACA, CISM Review Manual, 15th Edition. Domain 1: Information Security Governance, Section 1.3.3, "Legal and Regulatory Requirements." This section details the security manager's responsibility to identify and address applicable requirements. The foundational step to addressing them is to first understand the extent of non-compliance, which is the purpose of a gap analysis.

3. NIST Special Publication 800-39, "Managing Information Security Risk." Section 2.2, "Risk Management Process." The process described (Frame, Assess, Respond, Monitor) begins with framing and assessing risk. When a new regulation appears, it introduces new compliance risks that must first be assessed against the current environment before a response can be formulated. This assessment is functionally a gap analysis.

B. Compliance with policies: This is an outcome or a goal of an effective governance program, rather than a foundational component required to build it.

C. Auditability of systems: This is a specific control characteristic and an assurance mechanism that supports governance, but it is not a core governance principle itself.

D. Allocation of training resources: This is an important operational activity that is directed and managed by the governance framework, not a fundamental element of the framework itself.

---

1. ISACA, CISM Review Manual, 15th Edition. Domain 1: Information Security Governance, Section 1.2.3, "Information Security Responsibilities and Accountability." The manual states, "A key element of an information security governance framework is the definition and assignment of information security responsibilities throughout the organization... Accountability for information security must be assigned." This directly supports the concept of ownership as a critical element.

2. ISACA, COBIT 2019 Framework: Governance and Management Objectives. The EDM01 process, "Ensured Governance Framework Setting and Maintenance," emphasizes the need to "Define organizational structures, roles and responsibilities." This establishes that defining ownership is a primary activity in setting up a governance framework.

3. Tassabehji, R. (2005). Information security governance: The role of the board of directors. Americas Conference on Information Systems (AMCIS) 2005 Proceedings, 303. This academic paper highlights that a key responsibility of the board in governance is to "ensure that management has assigned clear responsibilities for information security," reinforcing that ownership is a top-level, critical concern. (Available via AIS eLibrary).

4. von Solms, S. H. (2006). Information Security Governance. Computers & Security, 25(6), 409-412. https://doi.org/10.1016/j.cose.2006.07.002. This article discusses the evolution from information security management to governance, noting that governance requires establishing clear accountability structures, which is synonymous with ownership, as a fundamental principle.

A. Deploy mobile device management (MDM): This is a specific technical control. While likely a necessary component of the solution, it is a potential outcome of a risk assessment, not the best initial step.

B. Implement remote wipe capability: This is a reactive control that mitigates the impact of data loss after a device is stolen, but it does not mitigate the primary risk of the theft itself.

C. Create an acceptable use policy: This is an administrative control. While important for setting user expectations, it is only one part of a comprehensive security strategy and is insufficient on its own.

1. ISACA, CISM Review Manual, 15th Edition. Domain 2: Information Risk Management. The manual emphasizes that the risk assessment process is fundamental to all other risk management activities. Task Statement K2.2 states the need to "Identify and analyze risks to determine their potential likelihood and impact on the business." This assessment is the prerequisite for selecting appropriate risk responses (mitigation controls) as described in Task Statement K2.4.

2. ISACA, COBIT 5 for Information Security. APO12 Manage Risk, Section APO12.02, "Collect data and identify, analyze and report on risk." This practice highlights that the initial step in risk management is to collect data to identify and analyze risks. This directly corresponds to conducting a risk assessment before implementing specific controls.

3. Parker, D. B. (2013). Toward a New Framework for Information Security. In Computers & Security, 32, 1-12. (Peer-reviewed academic publication). This and similar foundational texts on information security management stress that effective security programs are built upon a thorough understanding of risks. The selection of controls (such as MDM) must be justified and guided by a formal risk assessment process to ensure they are appropriate and sufficient for the identified threats.

A. Return on investment (ROI): A KRI's value is in loss avoidance and proactive risk management, which is often difficult to quantify as a direct financial return, making ROI a secondary consideration.

B. Compliance requirements: While important, compliance is only one source of risk. An effective risk management program uses KRIs to monitor all significant risks, not just those related to regulations.

C. Target audience: The target audience influences how a KRI is reported and communicated (e.g., dashboards for executives, detailed reports for managers), not the fundamental selection of the metric itself.

1. ISACA, CISM Review Manual, 15th Edition (2019). In Domain 2: Information Risk Management, the manual explains that KRIs are selected to monitor the most significant risks. It states, "KRIs should be selected based on the risks that have been identified as having a potential for high loss" (p. 108). The potential for high loss is directly correlated with the criticality of the asset or information at risk.

2. ISACA, COBIT 2019 Framework: Governance and Management Objectives (2018). The framework emphasizes aligning governance and management activities with enterprise goals. The selection of risk metrics (like KRIs) under process APO12 (Manage Risk) is driven by the business impact analysis, which explicitly identifies and prioritizes critical business processes and assets.

3. Flippo, D., & Van der Merwe, A. (2015). A Key Risk Indicator (KRI) Selection and Validation Model. Proceedings of the 9th International Conference on Theory and Practice of Electronic Governance. (p. 217). This academic publication notes that the KRI selection process begins with identifying critical business objectives and the risks that threaten them, reinforcing that criticality is the foundational element. DOI: https://doi.org/10.1145/2893679.2893681

A. Audits are a detective mechanism used to verify compliance and effectiveness periodically; they are not a proactive enabler for managing new, emerging risks.

B. Clear lines of responsibility are essential for execution, but they are established and assigned based on the authority and direction provided by policies.

C. A sufficient budget is a necessary resource for implementing controls, but its allocation is justified and guided by the risk management strategy defined in policies.

1. ISACA, CISM Review Manual, 15th Edition. Chapter 1, Section 1.2.3, "Information Security Policy," states, "The information security policy is the foundation of an effective information security program... It is the primary means by which senior management communicates its will and intent to the organization." This establishes policy as the foundational enabler.

2. National Institute of Standards and Technology (NIST), Cybersecurity Framework (CSF) Version 1.1. Section 2.1, "Framework Core," introduces the "Govern" function. The first category, GV.OC (Organizational Context), emphasizes that organizational cybersecurity strategy, objectives, and policies are established to manage risk. This highlights policy as a primary governance activity that enables risk management.

3. Furtado, V. (2018). A CISM Body of Knowledge. EDPACS, 58(3), 1-18. In the discussion on Information Security Governance, the article emphasizes that "Policies are the key high-level documents that set the tone and direction for the entire security program," from which procedures, standards, and baselines are developed to address specific risks. (DOI: https://doi.org/10.1080/07366981.2018.1523211).

B. Recovery: This phase restores systems to normal operation. The failure occurred before this step; recovery cannot be successful if the threat has not been fully eradicated.

C. Lessons learned review: This is a post-incident activity conducted after the incident is fully resolved. The ongoing discovery of malware indicates the incident is not yet resolved.

D. Incident declaration: This initial phase, where an event is formally identified as an incident, was clearly successful because a response and recovery effort were initiated.

1. National Institute of Standards and Technology (NIST) Special Publication 800-61 Rev. 2, "Computer Security Incident Handling Guide" (August 2012).

Section 3.4.2, Eradication: This section states, "After an incident has been contained, eradication may be necessary to eliminate components of the incident, such as deleting malware and disabling breached user accounts...". The scenario directly describes a failure to "eliminate components of the incident."

Figure 3-3, Incident Response Life Cycle: This figure clearly places "Eradication & Recovery" after "Containment" and before "Post-Incident Activity," showing that eradication is a prerequisite for a successful and final recovery.

2. Cichonski, P., Millar, T., Grance, T., & Scarfone, K. (2012). Computer security incident handling guide (NIST SP 800-61r2). National Institute of Standards and Technology.

DOI: https://doi.org/10.6028/NIST.SP.800-61r2 (This is the DOI for the same NIST document, provided for academic citation format). The relevant content is in Section 3.4.2 as noted above.

3. ISACA. (2022). CISM Review Manual, 16th Edition. The CISM body of knowledge, specifically within Domain 3: Information Security Program Development and Management, covers incident response planning and management. The phases described are aligned with the NIST framework, emphasizing that eradication must precede final recovery to ensure the threat is removed. (Note: While this is an official ISACA publication, specific page numbers vary by edition, but the principle remains consistent with the NIST standard it is based upon).

B. Reviewing audit results is a crucial due diligence and ongoing monitoring step, but it is secondary to first defining the requirements that the vendor will be audited against.

C. Service level agreements (SLAs) are important but represent only a subset (primarily availability) of the comprehensive security requirements needed to protect confidentiality and integrity.

D. Business continuity is a single, albeit critical, component of the overall security program. The primary focus is on ensuring all necessary requirements are contractually defined.

1. ISACA, CISM Review Manual, 16th Edition. Domain 3: Information Security Program Development and Management, Section 3.4.6, "Integrating Security Requirements into Contracts and Agreements." This section emphasizes that contracts are the primary mechanism for ensuring that third-party providers adhere to the organization's security policies and standards. It states that security requirements, roles, and responsibilities must be explicitly defined in the contract.

2. ISACA, CISM Review Manual, 16th Edition. Domain 2: Information Risk Management, Section 2.9.3, "Third-Party Risk Management." This section details the lifecycle of third-party management, highlighting that the contract negotiation and finalization phase is where security expectations, service levels, and the right to audit are formally established.

3. Hall, J. A., & Singleton, T. (2005). Information Technology Auditing and Assurance. Chapter 4, "The Management, Operational, and Information Technology Auditing." University-level textbooks on IT auditing consistently identify the review and establishment of contractual obligations as a primary control point in managing outsourced relationships to ensure accountability and compliance.

4. von Solms, R., & von Solms, B. (2004). "The 10 deadly sins of information security management." Computers & Security, 23(5), 371-376. https://doi.org/10.1016/j.cose.2004.05.002. This academic publication discusses failures in information security management, implicitly supporting the principle that failing to formalize security requirements in third-party agreements (a "sin" of omission) is a fundamental management failure.

A. This is a critical procedural and legal failure concerning the test's authorization, but it does not relate to the technical risk posed by the vulnerabilities themselves.

B. This indicates a gap in the internal vulnerability management program. While it is a serious process issue to be addressed, it is a root cause, not the immediate, high-likelihood threat.

C. This points to a weakness in the software development life cycle (SDLC). However, it is a contributing factor rather than the most immediate and critical risk presented by a readily exploitable vulnerability.

1. ISACA, CISM Review Manual, 16th Edition. In Domain 3: Information Security Program Development and Management, the section on vulnerability management emphasizes that remediation activities must be prioritized based on risk. The availability of an exploit is a primary factor in determining the likelihood of exploitation and, therefore, the overall risk level of a vulnerability. (Specifically, see Chapter 3, Section 3.4 Vulnerability Management).

2. National Institute of Standards and Technology (NIST), Special Publication (SP) 800-30 Rev. 1, Guide for Conducting Risk Assessments. Section 2.2.2, "Likelihood," states that determining the likelihood of a threat event initiation considers the threat source's capability. The public availability of exploit tools directly increases the capability of a broad range of threat sources, thus increasing the likelihood of an adverse event.

3. FIRST.org, Inc., Common Vulnerability Scoring System v3.1: Specification Document. The CVSS framework, a global standard for rating vulnerability severity, includes a Temporal Metric Group. Within this group, the "Exploit Code Maturity (E)" metric explicitly increases a vulnerability's score as exploit code becomes more available and functional, moving from "Unproven" to "Proof-of-concept" to "Functional." This directly quantifies why available exploit code is a major concern. (See Section 2.2, Temporal Metrics).

A. A disaster recovery plan (DRP) is a technical plan for recovering IT systems and infrastructure; it relies on criticality information established by the BIA, but does not determine it.

C. A business continuity plan (BCP) provides procedures to maintain essential operations during a disruption; it is created after the BIA has determined which functions are critical.

D. A security assessment report (SAR) documents findings on security controls and vulnerabilities; its focus is on security posture, not the inherent criticality of business functions for continuity.

1. ISACA. (2022). CISM Review Manual, 16th Edition. Domain 4: Information Security Incident Management, Section 4.3 Business Continuity and Disaster Recovery. The manual states, "The first step in developing a BCP is to perform a business impact analysis (BIA)... The BIA identifies the various events that could impact the business and the business processes that are most critical."

2. National Institute of Standards and Technology (NIST). (2010). Special Publication 800-34 Rev. 1, Contingency Planning Guide for Federal Information Systems. Section 3.2, Business Impact Analysis. "The BIA purpose is to correlate specific system components with the critical services that they provide, and based on that information, to characterize the consequences of a disruption... The BIA helps to identify and prioritize information systems and components that are critical to supporting the organization’s mission/business processes." (p. 15).

3. Wong, W. C., & Chan, A. (2011). A review of the business impact analysis for business continuity management. International Journal of Business and Management, 6(11), 211. "The BIA is a process of analyzing business functions and the effect that a business disruption might have upon them... The primary goal of BIA is to identify the critical business processes and to determine the recovery priorities." (p. 212). DOI: https://doi.org/10.5539/ijbm.v6n11p211

B. implement both companies' policies separately: This approach creates operational inefficiencies, policy conflicts, and potential security gaps, undermining the goal of a unified security framework.

C. merge both companies' policies: Merging policies without first conducting a gap analysis is premature. It risks creating a convoluted policy document with conflicting or inadequate controls.

D. perform a vulnerability assessment: A vulnerability assessment is a tactical, technical evaluation. Strategic policy and framework development must precede such technical assessments to provide the standards to assess against.

---

1. ISACA, CISM Review Manual, 15th Edition. Domain 1: Information Security Governance. The manual emphasizes that a key task of the information security manager is to "identify the gap between the current and desired states of the information security program" to support the development of the security strategy. In a merger and acquisition scenario, this gap analysis is the foundational step before policy integration can occur. (Task Statement 1.5.2).

2. ISACA Journal, "Cybersecurity Considerations for Mergers and Acquisitions," Volume 6, 2018. This article outlines the post-acquisition integration process, stating, "The first step is to perform a deep-dive assessment of the acquired company’s cybersecurity program... The goal is to identify gaps between the two companies’ security programs." This directly supports gap analysis as the initial action.

3. Kissel, R. (Ed.). (2013). Glossary of Key Information Security Terms (NISTIR 7298 Rev. 2). National Institute of Standards and Technology. While not a CISM-specific source, this foundational document defines gap analysis as "The comparison of actual performance with potential or desired performance." This definition aligns with the necessary first step of assessing the acquired company's posture against the desired integrated framework. (Page 85).

A. Develop a personal device policy

A policy must be based on pre-defined control requirements; it cannot be effectively created in a vacuum.

B. Implement a mobile device management (MDM) solution

Implementing technology is premature. The specific control requirements must be defined first to ensure the chosen solution is fit for purpose.

C. Develop training specific to BYOD awareness

Training materials are created to educate users on established policies and procedures, which have not yet been developed.

---

1. ISACA, CISM Review Manual, 16th Edition. Domain 2: Information Risk Management, Section 2.3, "Information Risk Response." The manual outlines that after risk analysis and evaluation, the next step is to select a risk response, which involves defining and selecting controls to mitigate the identified risks to an acceptable level. This "defining controls" step precedes policy creation and implementation.

2. NIST Special Publication 800-53, Revision 5, "Security and Privacy Controls for Information Systems and Organizations." The Risk Management Framework (RMF), a core concept in information security management, specifies a sequence of steps. The "Select" step (Step 3), where controls are selected and tailored based on risk, occurs after the system is categorized (Step 2, which includes risk assessment) and before controls are implemented (Step 4). Defining control requirements is the essence of the "Select" step.

3. ISACA, COBIT 2019 Framework: Governance and Management Objectives. The management objective APO12 (Manage Risk) details a process flow where risk analysis (APO12.04) is followed by articulating risk (APO12.06) and then defining a risk management action portfolio. This action portfolio includes defining the necessary controls before they are implemented under processes like DSS05 (Manage Security Services). This framework supports defining requirements as the bridge between risk assessment and implementation.

A. Security budget allocation: A budget is a resource input, not a measure of program effectiveness or maturity. A large budget can be spent inefficiently on an immature program.

B. Organizational risk appetite: This is a guiding principle that sets the tolerance for risk; it defines the program's goals but does not measure its operational maturity or effectiveness.

C. Risk assessment results: These are point-in-time outputs that identify specific risks. While a mature program performs them, the results themselves do not measure the program's process maturity.

---

1. ISACA. (2022). CISM Review Manual, 16th Edition. Chapter 3: Information Security Program Development and Management, Section: "Security Program Metrics." The manual explicitly states that metrics are essential for evaluating the performance of the information security program and are used to "measure, monitor and report on the effectiveness of information security management." This evaluation of effectiveness is a direct assessment of maturity.

2. ISACA. (2018). COBIT 2019 Framework: Governance and Management Objectives. Section 3: "Performance Management," pp. 39-42. The COBIT Process Capability Model assesses process maturity on a scale from 0 (Incomplete) to 5 (Optimizing). This assessment is fundamentally based on measuring process attributes and performance indicators (metrics) to determine if a process is achieving its purpose and demonstrating characteristics of higher maturity levels.

3. Paulk, M. C., Curtis, B., Chrissis, M. B., & Weber, C. V. (1993). Capability Maturity Model for Software, Version 1.1. Carnegie Mellon University, Software Engineering Institute. (CMU/SEI-93-TR-024). This foundational document for maturity models establishes the principle that progression through maturity levels is characterized by the institutionalization of processes and the use of measurement and analysis (metrics) to control and improve them. This concept is a cornerstone of information security program maturity assessment.

A. A data loss prevention (DLP) system is a reactive control in this context; it aims to prevent data exfiltration after a potential compromise, not prevent the initial attack from succeeding.

B. Disabling all incoming cloud mail services is an extreme and operationally unfeasible measure that would halt essential business communications, making it an unacceptable risk response.

D. Requiring acknowledgment of an acceptable use policy is a passive administrative control for governance; it does not equip employees with the practical skills needed to identify and respond to a sophisticated attack.

1. ISACA, CISM Review Manual, 15th Edition. Domain 3: Information Security Program Development and Management, Section 3.4.5, "Security Awareness, Training and Education." The manual emphasizes that the purpose of security awareness is to modify employee behavior to be more security-conscious, which is the primary defense against social engineering attacks like targeted phishing. It states that an effective program helps staff recognize and respond to threats.

2. National Institute of Standards and Technology (NIST) Special Publication 800-50, Building an Information Technology Security Awareness and Training Program. Section 2.2, "The Importance of Security Awareness and Training," highlights that a well-trained workforce is a "strong link" in the security chain and is essential for protecting information assets, directly supporting the need for training to counter threats that target users.

3. Puhakainen, P., & Siponen, M. (2010). Improving employees' compliance through information systems security training: An action research study. MIS Quarterly, 34(4), 757-778. This academic study demonstrates the effectiveness of security training in changing employee behavior and improving compliance with security policies, thereby reducing the organization's vulnerability to attacks that rely on human error. (DOI: https://doi.org/10.2307/25750704)

A. Strong encryption is a critical security control and a means to achieve compliance, but it is not the overarching objective itself.

C. Data availability is a core security principle, but for PII, regulations prioritize confidentiality and integrity over availability in most contexts.

D. Security awareness training is an essential administrative control to support the policy, not the primary objective driving the policy's creation.

1. ISACA. (2017). CISM Review Manual, 15th Edition. Domain 1: Information Security Governance, Section 1.2, "Legal, Regulatory, and Contractual Requirements." This section explicitly states that legal and regulatory requirements, particularly those concerning privacy and PII, are primary drivers for establishing the information security strategy and policies. It emphasizes that compliance is a key objective of security governance.

2. Goel, S., & Chen, V. (2005). Information security in a globally connected world: The case of the U.S. financial services industry. Journal of Global Information Management, 13(4), 1-20. This academic study demonstrates that regulatory mandates (e.g., GLBA) are the principal impetus for the development and implementation of information security programs in industries handling sensitive personal information, making compliance the central objective. (DOI: https://doi.org/10.4018/jgim.2005100101)

3. MIT OpenCourseWare. (2014). 6.805/STS.085J Ethics and Law on the Electronic Frontier. Lecture Notes, Privacy I: The Fourth Amendment and Electronic Surveillance. The course materials discuss how legal frameworks and privacy laws are the basis for organizational policies on data handling, establishing compliance as the foremost concern when dealing with personal data.

A. Standard backup utilities are not forensically sound; they can alter file metadata (e.g., access times) and typically do not copy deleted data or slack space.

C. A network backup requires booting the system, which would fundamentally alter the state of the hard drive by writing logs and temporary files, corrupting the evidence.

D. Rebooting the system, even from a forensic CD, alters the system state and is not the first step. Imaging the drive externally is the non-intrusive, preferred method.

1. National Institute of Standards and Technology (NIST). (2006). Special Publication 800-86, Guide to Integrating Forensic Techniques into Incident Response.

Page 20, Section 3.2.2, "Creating a Duplicate Image of a Drive": "Before a drive is duplicated, a write blocker should be used to prevent any data from being written to the drive... The two basic types of duplication are bit-stream and backup... A bit-stream image, which is the preferred method in forensic analysis, is a bit-for-bit copy of a drive." This directly supports the use of a bit-by-bit copy with a write-blocker as the standard procedure.

2. Kent, K., Chevalier, S., Grance, T., & Dang, H. (2006). NIST Special Publication 800-72, Guidelines on PDA Forensics.

Page 26, Section 4.2, "Preservation": Although focused on PDAs, the principle is universal in digital forensics. It states, "The goal of the preservation phase is to preserve the integrity of the digital evidence... This is often accomplished by creating a bit-for-bit copy of the device’s memory."

3. Carrier, B. (2003). "Defining digital forensic examination and analysis tools using abstraction layers." International Journal of Digital Evidence, 1(4).

This foundational academic paper outlines the digital forensic process. The initial step in data collection from physical media (like a hard drive) is described as creating a bit-for-bit copy to a file (a forensic image) to ensure the original evidence is not modified. This aligns with the principles of option B.

4. MIT OpenCourseWare. (2014). 6.858 Computer Systems Security, Fall 2014. Lecture 21: Forensics.

The course materials emphasize the "Order of Volatility," and for non-volatile storage like a hard disk in a powered-off system, the standard procedure taught is to create a disk image using a write-blocker before any other action is taken. This prevents contamination of the evidence.