ISP ISP Security Investigations & Incident Response

Question 1

Which phase of an incident response plan involves returning systems to normal operations after a security event?

Accepted Answer

Recovery

Answer

Identification

Answer

Containment

Answer

Lessons Learned

Question 2

What is the primary legal reason for maintaining a 'chain of custody' during a security investigation?

Accepted Answer

To preserve the integrity and admissibility of evidence in legal or disciplinary proceedings

Answer

To ensure the fastest possible resolution of the incident

Answer

To assign blame quickly within the organization

Answer

To comply with annual audit requirements

Question 3

A security investigator discovers a suspicious USB drive in a secured area. The FIRST action should be:

Accepted Answer

Photograph it in place, document its location, and secure it as evidence without inserting it into any system

Answer

Plug it into a computer to identify its contents

Answer

Discard it to prevent further risk to the facility

Answer

Hand it to the nearest employee to identify the owner

Question 4

An industrial security investigation MUST remain within which legal boundary when interviewing employees?

Accepted Answer

Employees must be informed of their rights, and interviews must comply with applicable labor and employment law

Answer

Investigators may use physical coercion if the employee refuses to cooperate

Answer

Investigators can review employee medical records without consent

Answer

Employees may be detained indefinitely pending investigation outcomes

Question 5

Which type of investigation focuses specifically on determining the root cause of a security system failure rather than identifying a perpetrator?

Accepted Answer

Root cause analysis (RCA) / technical investigation

Answer

Criminal investigation

Answer

Administrative investigation

Answer

Grand jury investigation

Question 6

When must a security incident be reported to the relevant government authority in a cleared industrial facility?

Accepted Answer

Whenever a reportable security incident occurs, per the facility's reporting requirements and DD Form 577 obligations

Answer

Only if classified information was confirmed as compromised

Answer

Only after a full internal investigation is complete

Answer

Never—all incidents are handled internally without government notification