Certified Information Security Manager (CISM) — Question 779

Following a successful attack, an information security manager should be confident the malware has not continued to spread at the completion of which incident response phase?

Answer options

• A. Recovery
• B. Eradication
• C. Identification
• D. Containment

Correct answer: D

Explanation

The correct answer is D, Containment, because this phase involves isolating the affected systems to prevent further spread of the malware. Recovery, Eradication, and Identification are subsequent phases that follow containment and do not guarantee that the malware has been fully contained at that point.