Certified Information Security Manager (CISM) — Question 252

An attacker was able to gain access to an organization's perimeter firewall and made changes to allow wider external access and to steal data. Which of the following would have BEST provided timely identification of this incident?

Answer options

• A. Implementing a data loss prevention (DLP) suite
• B. Deploying an intrusion prevention system (IPS)
• C. Deploying a security information and event management system (SIEM)
• D. Conducting regular system administrator awareness training

Correct answer: C

Explanation

The correct answer is C, as a Security Information and Event Management system (SIEM) collects and analyzes security data in real time, enabling quick identification of unauthorized changes. Option A, while useful for preventing data leakage, may not detect the firewall compromise. Option B focuses on preventing intrusions rather than detecting them after they occur, and option D, while important for awareness, does not provide real-time monitoring or alerts for security incidents.