Certified Information Security Manager (CISM) — Question 1232

An organization's intrusion prevention system (IPS) detected and blocked an unusually large number of external intrusion attempts within a 24-hour period. Which of the following should be the information security manager's FIRST course of action?

Answer options

• A. Perform security assessments on Internet-facing systems.
• B. Identify the source and nature of the attempts.
• C. Review the server and firewall audit logs.
• D. Report the issue to senior management.

Correct answer: B

Explanation

The correct action is to identify the source and nature of the attempts, as understanding the specifics of the intrusion attempts is critical for an effective response. Performing security assessments and reviewing logs are important but should come after establishing the context of the threat. Reporting to senior management is also necessary, but it should follow the initial analysis of the situation.