CISM Master Notes

HIGH freqQAE 高頻出現

MED freqQAE 中頻出現

NEW今次新增（官方 outline 空白補完）

⚠ 所有官方 subtopics 平等重要，freq 只係 QAE 統計參考

A1Organizational CultureISACA official subtopic

Change enterprise security CULTURE

→

FIRST = Executive endorsement
ONGOING = Awareness campaigns

NEW

▶

Culture = reflection of senior management vision。FIRST step = gain executive endorsement（唔係 controls 或 training）。Ongoing = awareness campaigns（MOST effective）。

「implement stronger controls」→ 可能引起反彈，唔改 culture。「periodic compliance reviews」→ 識別問題，唔改 culture。

Q87

The FIRST step to create an internal culture that embraces information security is to:

Aimplement stronger controls.

Bconduct periodic awareness training.

Cactively monitor operations.

Dgain endorsement from executive management.

廣東話拆解FIRST = executive endorsement（提供 intent + direction + support）。Controls / training = 之後執行。

A2Legal, Regulatory and Contractual RequirementsISACA official subtopic

Regulatory compliance requirements — treat as

→

JUST ANOTHER RISK (probability + consequences)

HIGH freq

▶

Regulations = treated as any other risk，按 probability + consequences 評估 priority。唔係所有 regulations 都要 100% comply。Cost of compliance vs cost of sanctions = business decision。

「an organizational mandate — must comply」→ 錯，CISM 視 compliance 為 risk management decision。

Q324

The information security manager should treat regulatory compliance requirements as:

Aan organizational mandate.

Ba risk management priority.

Ca purely operational issue.

Djust another risk.

廣東話拆解Regulation = risk。按 likelihood × impact 評估，唔係自動 100% comply。

A3Organizational Structures, Roles and ResponsibilitiesISACA official subtopic

BEST indicator of effective governance

→

Steering committee APPROVES all security projects

HIGH freq

▶

Governance = accountability + oversight，唔係 training。Steering committee approval power = 有人問責。

Training 類答案（managers / employees / intranet）——training ≠ governance indicator。

Which would be the BEST indicator of effective information security governance?

AThe steering committee approves security projects.

BSecurity policy training is provided to all managers.

CSecurity training is available on the intranet.

DIT personnel are trained in applying patches.

廣東話拆解B、C、D = training 陷阱。Governance ≠ training。Steering committee approval = accountability 結構。

Who classifies data / responsible for classification

→

DATA OWNER (business side)

HIGH freq

▶

Data Owner（業務方）= 負責分類 + 決定 access rights。IT = Custodian（執行）。Security Manager = 定義分類框架（唔係做分類）。

Database administrator / IT manager → 係 custodian，唔負責分類。

Senior management MOST appropriate role

→

Approval of POLICY + FUNDING

HIGH freq

▶

Senior management = 批准 policy、撥款、問責。唔係做 vendor evaluation 或 risk assessment（呢啲係 security manager 做）。Board of directors = 最終問責。

「conducting risk assessments」→ security manager 嘅工作，唔係 senior management。

B1Information Security Strategy DevelopmentISACA official subtopic

PRIMARY goal of information security

→

Support / align to BUSINESS OBJECTIVES

HIGH freq

▶

Security 嘅存在意義 = 幫 business achieve objectives。唔係 compliance，唔係 technical excellence。Security goals DERIVED FROM business goals。

「ensure compliance」→ compliance 係 requirement，唔係 primary goal。

Q27

The PRIMARY goal of developing an information security strategy is to:

Aestablish security metrics and performance monitoring.

Beducate business process owners regarding their duties.

Censure that legal and regulatory requirements are met.

Dsupport the business objectives of the enterprise.

廣東話拆解A、B、C = 手段或 requirements。D = primary goal。任何問 primary goal/purpose of security → business objectives。

Get senior management SUPPORT / COMMITMENT

→

Tie security risk to KEY BUSINESS OBJECTIVES

HIGH freq

▶

Senior management 唔理技術語言。用 business language：business impact、business risk、business objectives。

「explain the technical risk」→ 唔係高層想聽嘅語言。

FIRST step — developing security PROGRAM

→

Establish the NEED for creating the program

MED freq

▶

順序：Establish need → Define scope → Risk assessment → Strategy → Policy。先確立為何需要，先能做其他步驟。

「identify business risk first」→ 錯，FIRST = establish the need。

B2Information Governance Frameworks and StandardsISACA official subtopic

BEST approach — developing security program

→

Adopt a FRAMEWORK (ISO 27001, COBIT)

NEWMED freq

▶

Framework = skeleton structure + widely recognized。ISO 27001 / COBIT = CISM 最常提嘅 frameworks。Framework 提供 structure，唔係 prescriptive step-by-step。

「framework provides detailed process steps」→ 錯，framework = structure，唔係 detailed instructions。

Q130

The BEST approach to developing an information security program is to use a:

Aprocess.

Bframework.

Creference model.

Dguideline.

廣東話拆解Framework (ISO/COBIT) = best practice structure。Process = implementation；Reference model = less flexible；Guideline = not comprehensive。

B3Strategic Planning (Budgets, Resources, Business Case)ISACA official subtopic

Security investment / budget based on

→

VALUE ANALYSIS / COST-BENEFIT

HIGH freq

▶

Security investment = business case + ROI justification。Cost of control should NOT exceed asset value。

「vulnerability assessment results」→ 只係 one input，唔係 basis for investment decision。

Noncompliance — MOST effective resolution

→

Regular reports to AUDIT COMMITTEE

HIGH freq

▶

Audit committee = 最高 enforcement power。Periodic audits 識別問題但冇 escalation；training 唔能 enforce。

Policy Hierarchy — 必背順序

文件	特性	關鍵點
Policy	強制，最高層，Board 批准	最穩定，唔因技術改變
Standard	具體技術要求	技術改變要更新
Procedure	操作步驟	更新最頻繁
Guideline	建議性，非強制	員工可選擇唔跟 → 最 discretionary

A1Emerging Risk and Threat LandscapeISACA official subtopic

MOST difficult external influence to control

→

THREAT LANDSCAPE (唔能 positively control)

NEWMED freq

▶

Threats = 來自獨立外部來源（human/natural），唔能預測或控制。Vulnerability posture = 可以估計 + 控制。Compliance requirements = 可以 manage。

「vulnerability posture」→ 可以管理，唔係 MOST difficult。Threat landscape = 真正難以控制。

Q252

Which is MOST difficult for an enterprise to control?

AVulnerability posture

BCompliance requirements

COutsourcing expenses

DThreat landscape

廣東話拆解Threat landscape = 外部，唔能控制。Vulnerability = 可以 manage。所以 risk management 要持續——因為 threat landscape 不斷改變。

Why repeat risk assessment regularly

→

Business THREATS are constantly CHANGING

MED freq

▶

Risk environment 不斷改變（business objectives、technology、threat landscape）。唔係「fix omissions」或「use different methodologies」。

A2Vulnerability and Control Deficiency AnalysisISACA official subtopic

Vulnerability assessment PRIMARY objective

→

Provide ASSURANCE TO MANAGEMENT

HIGH freq

▶

Vulnerability assessment = 識別弱點 → 向 management 提供保證。唔係直接 reduce risk（係間接），唔係 ensure compliance。

「reduce risk to the business」→ 係間接效果，唔係 primary objective。

A3Risk Assessment and AnalysisISACA official subtopic

PRIMARY objective of risk management

→

Achieve risk to ACCEPTABLE LEVEL

HIGH freq

▶

唔係 minimize，唔係 eliminate——係 acceptable level。由 steering committee / senior management 決定咩係 acceptable。

「Eliminate business risk」= 即刻排除。「Zero risk」= 唔可能。

FIRST step of risk assessment

→

Identify / inventory ASSETS

HIGH freq

▶

唔知有咩資產，點知要保護咩。順序：Asset inventory → Threats → Vulnerabilities → Likelihood/Impact → Controls。

「identify threats first」→ 錯，assets 先。

2 ESSENTIAL elements of risk

→

LIKELIHOOD + IMPACT

HIGH freq

▶

Risk = Likelihood × Impact。缺一不可。Threat + vulnerability = incomplete（唔包含 impact）。

Qualitative vs Quantitative

→

Qualitative = intangible · Quantitative = financial

MED freq

▶

Qualitative

Intangible risks

聲譽損失、客戶信心下跌
無法用數字量化

Quantitative

Financial risks

收入損失、設備費用
ALE = ARO × SLE

Risk assessment FIRST introduced in SDLC

→

FEASIBILITY phase (earliest possible)

HIGH freq

▶

越早引入 security，成本越低，改動越易。Feasibility = 第一個正式階段。等到 specification 或 design = 太遲，改動成本高。

「requirements specification」→ 係第二位，feasibility 先。

B1Risk Treatment / Risk Response OptionsISACA official subtopic

4 Risk treatment options

→

Accept · Mitigate · Transfer · Avoid

HIGH freq

▶

Insurance = Transfer（唔係 eliminate）。Stop activity = Avoid。Add controls = Mitigate。Do nothing = Accept。外判 ≠ transfer risk，enterprise 仍係 risk owner。

「insurance eliminates risk」→ 錯，係 Transfer。

After residual risk determined — next step

→

VALIDATE it is ACCEPTABLE

HIGH freq

▶

唔係自動繼續 mitigate。先確認係咪 acceptable → 係就 accept，唔係就繼續處理。

New outsourcing / third party — FIRST step

→

Perform INTERNAL RISK ASSESSMENT

HIGH freq

▶

外判唔代表轉移責任。先做 internal risk assessment 了解自己嘅 risk exposure，才能決定要向第三方要求乜嘢 controls。

「audit third party first」→ 唔係 FIRST，先了解自己嘅 risk。

B2Risk and Control OwnershipISACA official subtopic

Acceptable risk level determined by

→

STEERING COMMITTEE / Senior management

HIGH freq

▶

Risk appetite = business decision，由 senior management / steering committee 決定。唔係 security manager 或 CIO 自己話事。

B3Risk Monitoring and ReportingISACA official subtopic

MOST appropriate to communicate to senior management

→

KEY RISK INDICATORS (KRI) — critical business assets

NEWHIGH freq

▶

KRI = current + predictive early warning = actionable for senior management。唔係 historical data 或 technical details。

「risk assessment results」→ 係 future risk，唔係 current actionable info。Senior management 需要 current + actionable。

Q388

MOST appropriate to communicate to senior management for risk decisions:

AInformation security risk assessment results

BKey risk indicators related to critical business assets

CInternal and external loss historical data

DRisk scenario analysis results

廣東話拆解KRI = current + early warning = actionable。Risk assessment = future；Loss data = historical；唔係 current。

KRI MOST essential attribute

→

PREDICTIVE of a risk event (early warning)

MED freq

▶

KRI = 前向指標，預測 developing risk。KPI = 後向，measure 現有 performance。KRI predicts，KPI measures。

「accurate and reliable」→ 係重要屬性，但唔係 MOST essential。

A1Program Resources (People, Tools, Technologies)ISACA official subtopic

New security tool recommended — FIRST step

→

Assess ALIGNMENT WITH BUSINESS GOALS

HIGH freq

▶

任何新工具，第一步唔係 implement，唔係 budget，唔係組隊。先 assess 同 business goals 嘅關聯。就算係 audit director 推薦都係咁。

「obtain pricing」/ 「form project team」→ 假設已決定購買，但未 justify。

Q751

The director of auditing recommended a monitoring solution. FIRST action:

AObtain comparative pricing bids.

BAdd the purchase to next budget cycle.

CPerform an assessment to determine correlation with business goals.

DForm a project team to plan implementation.

廣東話拆解就算係 audit director 推薦，FIRST = assess business alignment。A、B、D 假設已決定購買。

A2Information Asset Identification and ClassificationISACA official subtopic

PRIMARY prerequisite to data classification

→

IDENTIFY DATA OWNERS first

HIGH freq

▶

冇 data owner，根本冇人負責做分類。先識別 owner，才能讓他們分類。Classification level based on criticality + sensitivity。

「define classification levels first」→ 係第二步，先要有 owner。

A3Industry Standards and FrameworksISACA official subtopic

Security BASELINE — why develop

→

Defines MINIMUM ACCEPTABLE SECURITY

HIGH freq

▶

Baseline = 最低安全標準，確保所有系統達到最低要求。唔係最高標準，係 minimum acceptable security。所有系統要達到呢個 minimum。

「defines required physical and logical access controls」→ 唔係定義，係 content 之一。

A4Information Security Policies, Procedures and GuidelinesISACA official subtopic

Change Management vs Patch Management

→

Change = prevent INTRODUCED · Patch = fix KNOWN

HIGH freq

▶

Change Management

Prevent NEW weaknesses INTRODUCED

關鍵字："introduced / unauthorized changes"
Preventive control

Patch Management

Fix KNOWN, existing vulnerabilities

關鍵字："known / OS weaknesses"
First step = validate authenticity

⚠ 最易混淆！考試可能連續出兩條，答案完全相反。記住關鍵字！

A5Information Security Program MetricsISACA official subtopic

BEST measure of security program effectiveness

→

Extent to which CONTROL OBJECTIVES ARE MET

NEWHIGH freq

▶

Controls 係為達到 control objectives 而設。Effectiveness = objectives met。唔係 minimize risk（太 broad），唔係 compliance（太 narrow）。

「minimize risk」→ 唔係目標，係 acceptable level。

Q762

BEST measure of effectiveness of the security program:

AMinimizing risk across the enterprise

BCountermeasures existing for all known threats

CLosses consistent with annual loss expectations

DThe extent to which control objectives are met

廣東話拆解Control objectives = aligned with acceptable risk。Effectiveness = objectives met。

B1Control Design and SelectionISACA official subtopic

Control types: preventive / detective / corrective

→

Preventive=prevent · Detective=identify · Corrective=restore

MED freq

▶

Firewall = Preventive。IDS = Detective（唔係 preventive！）。IPS = Preventive。Backup/Recovery = Corrective。Change management = Preventive。Awareness training = Preventive + Detective。

「IDS = preventive」→ 錯！IDS = detective（detect，唔係 prevent）。IPS = preventive。

B2Control Implementation and IntegrationISACA official subtopic

MOST cost-effective access control type

→

ROLE-BASED Access Control (RBAC)

HIGH freq

▶

按 job role 分配權限，大減 admin overhead。最適合大型 user communities。SoD best implementation = RBAC。

Privileged access exceeds requirements — FIRST

→

Meet DATA OWNERS to understand BUSINESS NEEDS

HIGH freq

▶

可能有 legitimate business reason。先了解情況，唔係急住 revoke。

「revoke access immediately」→ 可能影響業務，未了解情況先唔能行動。

Public-facing servers location · Firewall placement

→

Web/extranet → DMZ · Firewall → Domain boundary

HIGH freq

▶

Web server → DMZ。Intranet server → internal network。Database server → never DMZ（太敏感）。Firewall → domain boundary（security domain 邊界）。

PKI preferred model for large user groups — why

→

More SCALABLE than symmetric key

HIGH freq

▶

Symmetric = 每對用戶需要一把 key（n×(n-1)/2 keys）= 唔 scalable。PKI = public/private key pair = 每人一把 private key = scalable。

「computationally more efficient」→ 錯，PKI 計算成本更高。Scalability = 真正優勢。

BEST ensures NONREPUDIATION

→

DIGITAL SIGNATURES

HIGH freq

▶

Digital signatures = private + public key pair，驗證雙方身份 + content integrity。Sender 無法否認。Hash = integrity only。Password = authentication only。

B3Control Testing and EvaluationISACA official subtopic

Why periodically TEST controls

→

To ensure OBJECTIVES ARE MET (not just for compliance)

NEWMED freq

▶

Controls degrade over time。Testing = verify still meeting objectives。唔係 to meet regulatory requirements（唔係 primary reason），唔係 test design alone。

「to meet regulatory requirements」→ 唔係 MOST important reason。

B4Information Security Awareness and TrainingISACA official subtopic

PRIMARY objective of security awareness

→

INFLUENCE EMPLOYEE BEHAVIOUR

HIGH freq

▶

唔係 pass tests，唔係 understand policies。知道 ≠ 做到。目標係 behavior change。WHEN to train new employees = Before they have data access。

Prevent SOCIAL ENGINEERING / PHISHING

→

Security AWARENESS TRAINING

HIGH freq

▶

Social engineering = 利用人嘅弱點，唔係技術漏洞。技術控制無效。呢係少數 training 係正確答案嘅情況。

「firewall rules」/ 「spam filter」→ 對 social engineering 無效。

BEST metric — awareness effectiveness

→

Number of REPORTED INCIDENTS (先升後降)

HIGH freq

▶

成效好 → 員工更積極舉報。先升（員工更警覺）後降（incidents 減少）。唔係 test scores 或 completion rate。

B5Management of External Services (Third Parties, Suppliers)ISACA official subtopic

SLA not updated in years — action

→

Ensure requirements meet CURRENT BUSINESS NEEDS

HIGH freq

▶

SLA 4年冇更新，業務已變化。唔係直接 terminate contract 或 audit vendor first。SLA 要 align to current business needs。Key contractual requirement = Right to audit。

BYOD decision already made — security manager FIRST

→

Determine information security STRATEGY for BYOD

HIGH freq

▶

決定已定，唔係 advise against（太遲）。FIRST = determine strategy，睇現有 strategy 能否 accommodate BYOD。

「advise against implementing BYOD」→ 企業已決定，呢個選項唔 relevant。

B6Program Communications and ReportingISACA official subtopic

MOST relevant metric for senior management report

→

TRENDS in adverse incidents (唔係 point-in-time numbers)

NEWHIGH freq

▶

Senior management 需要 TRENDS（顯示 program 係咪 improving），唔係 single snapshot numbers。Trends = strategic value。

「percentage of compliant servers」→ point-in-time，唔係 trend。「number of patches applied」→ operational detail，唔係 strategic。

Q777

Which indicator is MOST likely to be of strategic value?

ANumber of users with privileged access

BTrends in incident frequency

CAnnual network downtime

DVulnerability scan results

廣東話拆解Trends = strategic（顯示 program 改善方向）。Point-in-time numbers = operational。

場景 A — "REPORTED" / IDS alert

FIRST = CONFIRM the incident

未確認係咪真事故，先 confirm（false positive 好常見）

場景 B — "RESPONDING TO" confirmed incident

FIRST = CONTAINMENT

已確認係真實事故，先 contain 限制影響擴散

A1Incident Response PlanISACA official subtopic

Incident response FULL ORDER

→

Confirm → Contain → Eradicate → Recover → Lessons

HIGH freq

▶

背到出口。每一步嘅關鍵字都係可能嘅考題答案。Document everything throughout。

Reported breach ≠ confirmed。"Reported" → Confirm first。"Responding to" → Contain first。

Breach "REPORTED" / IDS alert → FIRST step

→

CONFIRM / VALIDATE it's a real incident

HIGH freq

▶

"Reported" = 未確認。False positive 好常見（admin maintenance 可觸發 IDS alert）。先 confirm，才能做後續。

最常見錯誤：揀 Contain（C）——Reported ≠ Confirmed，先要 Confirm！

Q932

A credit card database has been reported as breached. FIRST step:

AConfirm the incident.

BNotify senior management.

CStart containment.

DNotify law enforcement.

廣東話拆解"reported" = 未確認。先 Confirm（A），才 Contain（C）。好多人揀 C，係錯！

IR team MANUAL should contain

→

SEVERITY CRITERIA (stable content for manual)

HIGH freq

▶

IR manual = relatively static content。Severity criteria = stable，適合 manual。Phone directory = changes frequently，唔適合 manual。

「emergency call tree / phone directory」→ 頻繁改變，唔適合 IR manual。

A2Business Impact Analysis (BIA)ISACA official subtopic

BIA — key facts

→

FIRST step BCP/DRP · Determines RTO/RPO · Business process owners calculate

HIGH freq

▶

BIA → RTO/RPO/恢復優先次序 → DR site type。Business process owners = 最了解業務中斷後果。IT = 知技術，唔知業務 impact。BIA = best tool for priority of restoration。

「risk assessment」→ BIA 先，risk assessment 係 BIA 嘅 input 之一。

A3–A4Business Continuity Plan (BCP) / Disaster Recovery Plan (DRP)ISACA official subtopic

RTO vs RPO vs AIW vs SDO

→

RTO=時間 · RPO=數據 · AIW=最大容許中斷 · SDO=最低服務水平

HIGH freq

▶

縮寫	定義	決定咩
RTO	幾耐要恢復系統	DR site type (hot/warm/cold)
RPO	可接受損失幾多數據	Backup frequency
AIW	業務可容許最長中斷	Recovery solution design
SDO	Recovery 期間最低服務水平	Alternate operations mode

DR site types comparison

→

Hot=即時最貴 · Warm=幾小時 · Cold=最平最長

HIGH freq

▶

Site	特性	RTO	成本
Hot Site	完全配備，即時接管	最短（分鐘）	最貴
Warm Site	部分設備	幾小時至幾天	中等
Cold Site	空殼	最長（幾天至幾週）	最平

Hot site 最大弱點：Provider services ALL major companies in same area → 區域性災難時大家同時需要，可能唔夠用。

A5Incident Classification / CategorizationISACA official subtopic

PRIMARY reason for conducting TRIAGE

→

PRIORITIZE LIMITED RESOURCES

HIGH freq

▶

Resources 有限，要先處理最重要嘅 incidents。Triage = prioritization tool，唔係 prevention，唔係 detection。

A6Incident Management Training, Testing and EvaluationISACA official subtopic

DR test SUCCESS — most important element

→

Business management ACTIVELY PARTICIPATES

HIGH freq

▶

Management support = 資源、員工認真、結果有人 action。冇 management，DR test 係走過場。

「identical equipment at hot site」→ 係 technical requirement，唔係 most important success factor。

BCP/DRP testing types

→

Full interruption=最充分 · Parallel=continuous ops · Simulation=有效無中斷

HIGH freq

▶

類型	描述	用途
Checklist	紙上演練	Least assurance
Simulation	模擬場景演練	Effective 又唔 disruptive
Parallel test	Production 繼續，同時測試 recovery	需要 continuous operations
Full interruption	Primary site shutdown	Most assurance，最 disruptive

B1Incident Management Tools and TechniquesISACA official subtopic

Timely incident identification — BEST action

→

Implement INCIDENT DETECTION capability

HIGH freq

▶

Detection capability = prerequisite 嚟 timely identification。BIA / risk analysis 唔直接確保 timely detection。

B2Incident Investigation and EvaluationISACA official subtopic

Forensic investigation — FIRST step

→

Establish CHAIN OF CUSTODY log

HIGH freq

▶

Chain of custody = 記錄每個人接觸過證據、做咗咩、幾時做。確保法庭證據有效。冇 CoC = 後面所有步驟可能無效。

write blocker（第2步）/ hash（第3步）→ 係正確步驟，但唔係 FIRST。

Q971

When creating a forensic image, which should be the FIRST step?

AIdentify a recognized forensics software tool.

BEstablish a chain of custody log.

CConnect the hard drive to a write blocker.

DGenerate a cryptographic hash.

廣東話拆解Chain of custody FIRST。C = 第2步；D = 第3步。先有 CoC，先有法律效力。

Analyze suspect media

→

BIT-FOR-BIT copy; analyze the COPY (never original)

HIGH freq

▶

直接分析原件 = 破壞原始證據。Bit-for-bit = 100% 完整（包括 deleted files、slack space、volatile data）。

「standard backup」→ 唔夠，backup 唔包含 deleted files 或 slack space。

B3Incident Containment MethodsISACA official subtopic

"RESPONDING TO" confirmed incident — FIRST priority

→

CONTAINMENT — limit the impact

HIGH freq

▶

已確認係真實事故，第一優先 = Contain（限制影響擴散）。唔係 documentation，唔係 restoration，唔係 notify management。

Ransomware — FIRST step

→

REMOVE affected systems from NETWORK

MED freq

▶

Ransomware spreads quickly。Remove from network = contain spread。唔係 notify，唔係 restore（restore 可能 reinfect）。

「restore from backups immediately」→ 可能 reinfect backups。Contain first！

Data EXFILTRATION active incident — FIRST

→

BLOCK traffic going to attacker's servers

HIGH freq

▶

Ongoing damage = stop it FIRST。Block outbound traffic = contain exfiltration。先 stop，才 investigate。

「inform system owner first」→ 係重要，但 ongoing exfiltration = stop first。

B4Incident Response CommunicationsISACA official subtopic

Breach confirmed, data stolen — notify FIRST

→

DATA OWNERS who may be impacted

HIGH freq

▶

Data owners = 最了解呢批數據嘅重要性 + accountability 所在。先通知 data owners 評估損失，協調後續 notifications。

「customers」→ 睇落好合理，但唔係 FIRST。先要 data owners 評估 scope，才能決定點通知客戶。

B5Incident Eradication and RecoveryISACA official subtopic

Superuser compromise — eradication method

→

REBUILD system from ORIGINAL MEDIA

HIGH freq

▶

Superuser 可以做任何改動（impossible to find all changes）。唯一確保 clean = rebuild from original installation media。

「change all passwords and resume」→ 唔夠，superuser 可能已植入 backdoor。

B6Post-Incident Review PracticesISACA official subtopic

PRIMARY objective of post-incident review

→

IMPROVE the response process (forward-looking)

HIGH freq

▶

唔係追責，唔係量化損失。Forward-looking = 改善未來 incident response。Third party = avoid conflict of interest = more objective。

「identify who was responsible」→ 唔係 primary objective。

Control tested but compromise still occurred — FIRST

→

Perform ROOT CAUSE ANALYSIS

HIGH freq

▶

先了解點解發生，先能知係咪 control 唔夠，定係有其他原因。唔係 repeat the test，唔係 develop more controls（未知原因前唔能決定）。

「repeat the control test」→ 唔係 FIRST，先搞清楚原因。

CISM Master Notes

Information Security Governance

Information Security Risk Management

Information Security Program

Incident Management