Module 9: Incident Response

Module 9 Assessment

Multiple Choice

Identify the choice that best completes the statement or answers the question.

____ 1. Which of the following is not a common type of incident in a SCADA/ICS?

a. Unauthorized access to system controls c. Vendor goes out of business and can no longer supply critical components
b. A worm infects a network at a nuclear power plant d. Vendor improperly performs a security assessment, resulting in loss of system availability


____ 2. In which phase of NIST’s SP 800-61 would organizations prioritize response to multiple threat actions?

a. Preparation c. Containment Eradication and Recovery
b. Detection and Analysis d. Post-Incident Activity




Match each core capability of the National Response Framework with its objective.

A. Planning H. Mass Care Services
B. Public Information and Warning I. Mass Search and Rescue Operations
C. Operational Coordination J. On-Scene Security and Protection
D. Critical Transportation K. Operational Communications
E. Environmental Response/Health and Safety L. Public and Private Services and Resources
F. Fatality Management Services M. Public Health and Medical Services
G. Infrastructure Systems N. Situational Assessment

____ 3. Ensure the availability of guidance and resources

____ 4. Relay information on threats and hazards

____ 5. Provide life-sustaining services, including food and shelter

____ 6. Provide communications

____ 7. Establish and maintain an operational structure and process

____ 8. Provide decision-makers with information

____ 9. Deliver search and rescue operations

____ 10. Provide transportation for response

____ 11. Provide essential services

____ 12. Engage the community to develop response approaches

____ 13. Provide lifesaving medical treatment

____ 14. Stabilize infrastructure

____ 15. Provide law enforcement and security

____ 16. Body recovery and victim identification services

Match the following sections of the ICS Cyber Incident Response Plan with their contents.

A. Overview, Goals, and Objectives F. Response Actions
B. Incident Description G. Communications
C. Incident Detection H. Forensics
D. Incident Notification I. Additional Sections
E. Incident Analysis

____ 17. Includes media contacts

____ 18. Incident type classification

____ 19. Addresses how an incident is prioritized and escalated

____ 20. Addresses how to evaluate and analyze an incident

____ 21. Other stuff

____ 22. Discusses business objectives

____ 23. The process for collecting, examining, and analyzing incident data, with an eye to legal action

____ 24. Defines the procedures used for each type of incident

____ 25. Describes how an incident is identified and reported


Short Answer

26. Define incident containment and provide an example of how it would be applied to an incident.



27. Discuss how the response strategy for an incident that was sourced from within the organization would differ from one sourced from outside of the organization.




For the answers to these questions, email your name, the name of your college or other institution, and your position there to CyberWatch West will email you a copy of the answer key.


Icon for the Creative Commons Attribution 4.0 International License

Critical Infrastructure Cybersecurity by Whatcom Community College and CyberWatch West is licensed under a Creative Commons Attribution 4.0 International License, except where otherwise noted.

Share This Book