Certified Information Security Manager (CISM) — Question 902

When an organization lacks internal expertise to conduct highly technical forensics investigations, what is the BEST way to ensure effective and timely investigations following an information security incident?

Answer options

• A. Purchase forensic standard operating procedures.
• B. Retain a forensics firm prior to experiencing an incident.
• C. Ensure the incident response policy allows hiring a forensics firm.
• D. Provide forensics training to the information security team.

Correct answer: B

Explanation

The best option is to retain a forensics firm prior to an incident because this ensures that expert assistance is readily available when needed most. Other options, such as providing training or creating policies, do not guarantee immediate access to specialized skills during a critical time, which could delay the investigation and response.