[CCCure CISSP] Qs3 Law: cccure QuizEngn doubts

classic Classic list List threaded Threaded
1 message Options
Reply | Threaded
Open this post in threaded view

[CCCure CISSP] Qs3 Law: cccure QuizEngn doubts

Amlan Deb
Hello everyone,
I have some doubts regarding some cccure Quiz questions and concepts mentioned below. Would really appreciate it if you could take out some time and help me with them. Request you to please provide a quick reply as I need to appear for the exam in the month of July.



1.     Question: 1425 | Difficulty: 5/5 | Relevancy: 3/3

Which of the following should be notified first in the event of an intrusion?

o      Human resources

o      Law enforcement agencies

o     Internal public relations point of contact

o      System and network administrator(s)

You did not provide any answer to this question. Please review details below.

An organization's networked systems security policy should include an information dissemination policy identifying, among others, whom to notify in the event of an intrusion and in what order.

The first contact should be with the responsible manager and other managers who need to be made aware, but that choice is not listed here.

The next in order of importance should be the internal public relations point of contact, making it the first in importance of the offered choices.

Next, the Local Computer Security Incident Response Team (CSIRT), if one exists, should be contacted.

Other contacts can be notified in varying order according to the type of intrusion or other circumstances.


Source: ALLEN, Julia H., The CERT Guide to System and Network Security Practices, Addison-Wesley, 2001, Chapter 7: Responding to Intrusions (page 281).



Last modified 07/02/2007, Ron Hehemann


The Carnegie Mellon Software Engineering Institute did some work for the Department of Defense in the state on this subject.  Here are some of the recommendations they proposed:

Communicate with all parties that need to be made aware of an intrusion and its progress.  Those with key roles in responding to an intrusion need to be notified and kept informed at the appropriate times to fulfill their responsibilities.

You need to immediately notify the responsible mid-level and senior managers, your local computer security incident response team (CSIRT) if one exists, your public relations staff, and the affected system administrators (if they are not already involved) based on your organization’s information dissemination policy.

For responses to intrusions that require management approval, you need to obtain a decision about:

• whether or not to close the breach and continue doing business
• whether or not to continue to gather data on an intruder's activities (including protecting evidence associated with these activities)
• what quantity and type of information you should communicate
• who you need to inform

Executing your information dissemination procedures may include contacting users affected by an intrusion, security personnel, law enforcement agencies, vendors, and other SIRTs external to your organization.

Contributor: Christian Vezina

Covered topics (2): <A title="Incident handling and response - Incident handling and response often includes the creation of a computer Incident Response Team (CIRT), which manages a company's response to events that pose a risk to their computing environment." href="javascript:void(0)">Incident handling and response, <A title="External communications - " href="javascript:void(0)">External communications


My doubt:  As per the above explanation (in the first half of the answer) CSIRT team is notified after notifying Management and Public Relations. In the second half of the answer the explanation is bit different where as per Carnegie Institute CSIRT should be notified second after notifying Management

Shouldn’t CSIRT be the first team to be notified and then followed by Management and Public Relations?


You can find the list archive at:

CISSPstudy mailing list
[hidden email]

To UNSUBSCRIBE, SUBSCRIBE, or MANAGE your accout visit the link below: