CIS-SIR Online Practice Questions and Answers

There are several methods in which security incidents can be raised, which broadly fit into one of these categories:. (Choose two.)

A. Integrations

B. Manually created

C. Automatically created

D. Email parsing

Using the KB articles for Playbooks tasks also gives you which of these advantages?

A. Automated activities to run scans and enrich Security Incidents with real time data

B. Automated activities to resolve security Incidents through patching

C. Improved visibility to threats and vulnerabilities

D. Enhanced ability to create and present concise, descriptive tasks

The severity field of the security incident is influenced by what?

A. The cost of the response to the security breach

B. The impact, urgency and priority of the incident

C. The time taken to resolve the security incident

D. The business value of the affected asset

What is the name of the Inbound Action that validates whether an inbound email should be processed as a phishing email for URP v2?

A. User Reporting Phishing (for Forwarded emails)

B. Scan email for threats

C. User Reporting Phishing (for New emails)

D. Create Phishing Email

If the customer's email server currently has an account setup to report suspicious emails, then what happens next?

A. an integration added to Exchange keeps the ServiceNow platform in sync

B. the ServiceNow platform ensures that parsing and analysis takes place on their mail server

C. the customer's systems are already handling suspicious emails

D. the customer should set up a rule to forward these mails onto the ServiceNow platform

What makes a playbook appear for a Security Incident if using Flow Designer?

A. Actions defined to create tasks

B. Trigger set to conditions that match the security incident

C. Runbook property set to true

D. Service Criticality set to High

Joe is on the SIR Team and needs to be able to configure Territories and Skills. What role does he need?

A. Security Basic

B. Manager

C. Security Analyst

D. Security Admin

Why is it important that the Platform (System) Administrator and the Security Incident administrator role be separated? (Choose three.)

A. Access to security incident data may need to be restricted

B. Allow SIR Teams to control assignment of security roles

C. Clear separation of duty

D. Reduce the number of incidents assigned to the Platform Admin

E. Preserve the security image in the company

The following term is used to describe any observable occurrence:.

A. Incident

B. Log

C. Ticket

D. Alert

E. Event

Which of the following process definitions allow only single-step progress through the process defined without allowing step skipping?

A. SANS Stateful

B. NIST Stateful

C. SANS Open

D. NIST Open