210-255 · Question #63
Which component of the NIST SP800-61 r2 incident handling strategy reviews data?
The correct answer is D. post-incident analysis. The post-incident activity phase of NIST SP800-61 r2 is specifically where incident data is reviewed, lessons are documented, and process improvements are identified.
Question
Which component of the NIST SP800-61 r2 incident handling strategy reviews data?
Options
- Apreparation
- Bdetection and analysis
- Ccontainment, eradication, and recovery
- Dpost-incident analysis
How the community answered
(53 responses)- A2% (1)
- B2% (1)
- C6% (3)
- D91% (48)
Why each option
The post-incident activity phase of NIST SP800-61 r2 is specifically where incident data is reviewed, lessons are documented, and process improvements are identified.
Preparation focuses on building incident handling capability, acquiring tools, and establishing policies before incidents occur, not reviewing data from completed incidents.
Detection and analysis is the active phase of identifying indicators of compromise and understanding an ongoing incident in real time, not a retrospective data review.
Containment, eradication, and recovery involves actively limiting damage, removing threats, and restoring systems during an incident - it is an operational response phase, not a data review phase.
NIST SP800-61 r2 defines post-incident activity as the phase that includes a formal lessons-learned meeting and retrospective analysis of all data collected during the incident. This phase systematically examines what occurred, how effectively the team responded, and what procedural or technical changes should be implemented - making it the component explicitly responsible for reviewing incident data after resolution.
Concept tested: NIST SP800-61 r2 post-incident activity phase responsibilities
Source: https://csrc.nist.gov/publications/detail/sp/800-61/rev-2/final
Topics
Community Discussion
No community discussion yet for this question.