Certified Information Security Manager (CISM) — Question 64

An intrusion has been detected and contained. Which of the following steps represents the BEST practice for ensuring the integrity of the recovered system?

Answer options

• A. Restore the application and data from a forensic copy.
• B. Install the OS, patches, and application from the original source.
• C. Restore the OS, patches, and application from a backup.
• D. Remove all signs of the intrusion from the OS and application.

Correct answer: B

Explanation

Installing the OS, patches, and application from the original source ensures that the system is clean and free of any malware that may have been present during the intrusion. Restoring from a forensic copy or backup could potentially reintroduce compromised data or systems. Simply removing signs of the intrusion may not guarantee that the system is fully secure.