nerdexam
Cisco

210-255 · Question #66

What is accomplished in the identification phase of incident handling?

The correct answer is D. determining that a security event has occurred. The identification phase of incident handling is focused on confirming and determining that an actual security incident has occurred, distinguishing real events from false positives.

Security Policies and Procedures

Question

What is accomplished in the identification phase of incident handling?

Options

  • Adetermining the responsible user
  • Bidentifying source and destination IP addresses
  • Cdefining the limits of your authority related to a security event
  • Ddetermining that a security event has occurred

How the community answered

(31 responses)
  • B
    6% (2)
  • C
    3% (1)
  • D
    90% (28)

Why each option

The identification phase of incident handling is focused on confirming and determining that an actual security incident has occurred, distinguishing real events from false positives.

Adetermining the responsible user

Determining the responsible user is part of the investigation or forensics stage, which occurs after the incident has been identified and contained.

Bidentifying source and destination IP addresses

Identifying source and destination IP addresses is a technical analysis activity that occurs during the analysis or containment phase, not the initial identification phase.

Cdefining the limits of your authority related to a security event

Defining the limits of authority related to a security event is part of the preparation phase, where policies, roles, and rules of engagement are established before any incident occurs.

Ddetermining that a security event has occurredCorrect

During the identification phase, the incident response team collects and analyzes indicators to confirm that a security event or breach has actually taken place. This involves reviewing alerts, logs, and anomalies to establish that an incident is real rather than a false positive. Only after identification is confirmed does the team move into containment and further investigation.

Concept tested: Incident response lifecycle - identification phase

Source: https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-61r2.pdf

Topics

#incident handling#identification phase#security event#incident response

Community Discussion

No community discussion yet for this question.

Full 210-255 Practice