Exam GICSP Topic 1 Question 35 Discussion
Actual exam question for GIAC's GICSP exam
Question #: 35
Topic #: 1
Question #: 35
Topic #: 1
Which of the following is typically performed during the Recovery phase of incident response?
Suggested Answer: B Vote an answer
The Recovery phase in incident response focuses on restoring systems to normal operations and strengthening defenses:
Patching and configuring systems to meet secure standards (B) is a typical recovery activity to prevent recurrence.
Updating security policies (A) is usually part of the Post-Incident Activities or Governance.
Root cause analysis (C) is typically part of the Investigation or Analysis phase.
Forensic imaging (D) is part of the Containment and Eradication phases for evidence preservation.
GICSP aligns recovery activities with system hardening and return to normal operations.
Reference:
GICSP Official Study Guide, Domain: ICS Security Operations & Incident Response NIST SP 800-61 Rev 2 (Incident Handling Guide) GICSP Training on Incident Response Lifecycle
Patching and configuring systems to meet secure standards (B) is a typical recovery activity to prevent recurrence.
Updating security policies (A) is usually part of the Post-Incident Activities or Governance.
Root cause analysis (C) is typically part of the Investigation or Analysis phase.
Forensic imaging (D) is part of the Containment and Eradication phases for evidence preservation.
GICSP aligns recovery activities with system hardening and return to normal operations.
Reference:
GICSP Official Study Guide, Domain: ICS Security Operations & Incident Response NIST SP 800-61 Rev 2 (Incident Handling Guide) GICSP Training on Incident Response Lifecycle
by Delia at Apr 06, 2026, 05:45 AM
0
0
0
10
Comments
Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.
Report Comment
Commenting
You can sign-up / login (it's free).