Certified Information Security Manager (CISM) — Question 691

An organization is conducting a post-incident review to determine the root cause of an information security incident. Which of the following situations would be
MOST harmful to this investigation?

Answer options

• A. Unencrypted logs of the affected systems were saved on magnetic tapes.
• B. Antivirus signature update processes failed on the affected systems.
• C. Systems logs were cleared by the administrator to free up space on the affected systems.
• D. The incident response plan has not been updated during the past year.

Correct answer: C

Explanation

Clearing the systems logs to free up space (option C) would be the most damaging since it removes critical evidence needed to analyze the incident. While unencrypted logs (option A), failed antivirus updates (option B), and an outdated incident response plan (option D) can hinder the investigation, they do not eliminate existing data like clearing logs does.