Q1. A final IR plan should be tested at least ____________________ by performing at least a structured walk-through test and a more realistic type of test, when possible.

Q2. ____________________ testing can come from standardization boards or consultants (for example, ISO 9000), certification or accreditation groups, or a group selected by the organization’s management from a sister company.

Q3. NIST defines an event as “any observable occurrence in a system or network” and defines a(n) ____________________ event as “an event with negative consequences.”

Q4. In order to do an effective job, the CSIRT needs to know who it works for and what systems it should focus on; in other words, it needs to identify its ____________________.