Back to Student Worksheet
Computer Science Grade 9-12 Answer Key

Computer Science: Cybersecurity Incident Response Plan

Planning, documenting, and improving a response to cyber incidents

Answer Key
Name:
Date:
Score: / 15

Computer Science: Cybersecurity Incident Response Plan

Planning, documenting, and improving a response to cyber incidents

Computer Science - Grade 9-12

Instructions: Read each scenario carefully. Answer in complete sentences and show your reasoning where appropriate.
  1. 1

    List the six common phases of a cybersecurity incident response plan and briefly explain the purpose of each phase.

    Think about what happens before, during, and after an attack.

    The six common phases are preparation, identification, containment, eradication, recovery, and lessons learned. Preparation gets people, tools, and procedures ready. Identification confirms that an incident is happening. Containment limits damage. Eradication removes the cause of the incident. Recovery restores normal operations. Lessons learned improves the plan for the future.
  2. 2

    A student reports that a school laptop suddenly displays a message demanding payment to unlock files. Which incident response phase begins first after the report, and what should the response team do during that phase?

    The identification phase begins first after the report. The response team should confirm whether the laptop is affected by ransomware, record the symptoms, collect basic details, and determine the possible scope of the incident.
  3. 3

    Explain the difference between containment and eradication in an incident response plan.

    One phase stops the problem from spreading, and the other removes the problem.

    Containment limits the spread or impact of an incident, such as disconnecting an infected computer from the network. Eradication removes the root cause, such as deleting malware, closing a compromised account, or patching the vulnerable software.
  4. 4

    A company detects that one employee account is sending suspicious emails to hundreds of contacts. Write two immediate containment actions the company should take.

    The company should disable or lock the compromised account to stop more emails from being sent. It should also reset the account password and revoke active sessions or tokens so the attacker cannot keep using the account.
  5. 5

    Read the event log summary: 8:05 a.m. login from the employee's city, 8:10 a.m. failed login attempts from another country, 8:12 a.m. successful login from that country, 8:15 a.m. password changed, 8:18 a.m. mass email sent. Identify the most likely incident and explain your evidence.

    Look for a sequence of events that shows unauthorized access.

    The most likely incident is an account compromise. The evidence includes failed login attempts from another country, a successful login from that country, a password change soon after, and mass email activity that does not match normal behavior.
  6. 6

    Why should an incident response plan define roles such as incident commander, technical lead, communications lead, and legal or compliance contact?

    An incident response plan should define roles so that everyone knows who makes decisions, who investigates technical issues, who communicates updates, and who handles legal or compliance requirements. Clear roles reduce confusion and speed up the response.
  7. 7

    A school server may have been hacked. Write three pieces of information that should be included in the first incident ticket or report.

    A useful report helps the next responder understand what happened and when.

    The first incident ticket should include the date and time the issue was discovered, the system or server affected, and a description of suspicious activity or alerts. It may also include who reported it and what actions have already been taken.
  8. 8

    Choose the better communication message for students and explain why it is better. Message A: There was a huge hack and everything may be unsafe. Message B: We are investigating a security issue affecting the student portal. Please do not reset passwords until further notice, and we will provide an update by 3:00 p.m.

    Message B is better because it is clear, calm, specific, and gives an action for students to follow. It also provides a time for the next update, which helps reduce rumors and confusion.
  9. 9

    During an incident, why is it important to preserve evidence before wiping a computer or reinstalling software?

    Investigators need clues before the system is changed.

    It is important to preserve evidence because logs, files, memory, and system details may show how the incident happened, what data was affected, and what the attacker did. Wiping the computer too early could destroy information needed for investigation or legal reporting.
  10. 10

    A web application was attacked through an unpatched vulnerability. Give one eradication action and one recovery action for this incident.

    An eradication action is to apply the security patch or remove the vulnerable code that allowed the attack. A recovery action is to restore the application to service after testing that the patch works and the system is secure.
  11. 11

    The table shows possible incidents: phishing email, lost phone with school email access, malware on a lab computer, and leaked database password. For each incident, name one containment action.

    Containment actions should reduce immediate risk and limit spread.

    For a phishing email, the school can block the sender and remove the email from inboxes. For a lost phone, the school can remotely wipe the device or revoke its access. For malware on a lab computer, the school can disconnect it from the network. For a leaked database password, the school can rotate the password and disable the old credential.
  12. 12

    Explain what a severity level is in an incident response plan. Give an example of a low-severity incident and a high-severity incident.

    A severity level is a rating that describes how serious an incident is based on impact, scope, urgency, and risk. A low-severity incident could be one blocked phishing email with no clicks. A high-severity incident could be ransomware spreading across many systems or confirmed theft of private data.
  13. 13

    A backup is available after a ransomware attack, but it was last made three weeks ago. What should the response team check before restoring from the backup?

    A backup is only useful if it is safe and recent enough for the organization.

    The response team should check whether the backup is clean, complete, and not already infected. It should also consider how much data would be lost by restoring a three-week-old backup and verify that the ransomware entry point has been removed before recovery.
  14. 14

    Create a short checklist of five actions that should be completed during the preparation phase of an incident response plan.

    A preparation checklist could include assigning incident response roles, creating contact lists, setting up logging and monitoring, training staff on how to report incidents, and testing backups. These actions make the organization ready before an incident occurs.
  15. 15

    After a data breach, the team holds a lessons learned meeting. Write three questions the team should ask and explain how the answers can improve the incident response plan.

    The goal is not to blame people. The goal is to improve the system and the plan.

    The team should ask what caused the incident, what parts of the response worked well, and what slowed the response down. The answers can help the team fix technical weaknesses, keep effective procedures, update unclear steps, and improve training for future incidents.
LivePhysics™.com Computer Science - Grade 9-12 - Answer Key