An auditor is reviewing the incident response plan of a financial institution. The plan states that in the event of a ransomware attack, the first step is to 'Pay the ransom immediately to restore operations.' How should the auditor evaluate this procedure?

Answer options:

It is appropriate because it minimizes downtime (RTO).

It is appropriate provided the payment is made via cryptocurrency.

It is deficient; the first step should be containment and isolation of infected systems.

It is deficient; the first step should be to delete all data.

How to approach this question

Recall the Incident Response Lifecycle (NIST): Preparation -> Detection -> Containment -> Eradication -> Recovery. 'Containment' is the immediate technical reaction.

Full Answer

C.It is deficient; the first step should be containment and isolation of infected systems.✓ Correct

The priority in a ransomware attack is Containment (disconnecting from network) to prevent spread. Paying ransom is a complex legal/business decision and is never the standard 'first step' in a response plan.

Common mistakes

Focusing on the business need to restore quickly vs the technical need to contain.

Question 27 All questions Question 29

Practice the full CPA ISC Practice Exam

82 questions · hints · full answers · grading

More questions from this exam

Q01A CPA is performing a risk assessment for a client that uses a public cloud provider for its core...Hard Q02During a walkthrough of a client's change management process, the auditor notes that developers h...Hard Q03A service organization provides a real-time transaction processing platform. The service level ag...Hard Q04An auditor is reviewing a SQL query used by the finance team to generate a report of all sales tr...Hard Q05A healthcare clearinghouse is preparing for a SOC 2® engagement. They utilize a private cloud dep...Hard

View all 82 questions →