CAS-001 · Question #447
CAS-001 Question #447: Real Exam Question with Answer & Explanation
The correct answer is D: Discussion of event timeline. A lessons learned meeting (also called a post-incident review or after-action review) is a structured process to understand what happened, why, and how to improve. Reviewing the event timeline (D) is fundamental - it establishes the sequence of events: when the incident was first
Question
Options
- ADemonstration of IPS system
- BReview vendor selection process
- CCalculate the ALE for the event
- DDiscussion of event timeline
- EAssigning of follow up items
Explanation
A lessons learned meeting (also called a post-incident review or after-action review) is a structured process to understand what happened, why, and how to improve. Reviewing the event timeline (D) is fundamental - it establishes the sequence of events: when the incident was first detected, how it escalated, what response actions were taken and when, and where delays or failures occurred. Without a timeline, root cause analysis is impossible. Assigning follow-up action items (E) is equally essential - lessons learned meetings are only valuable if they produce concrete, owned, and tracked improvements; without assigned follow-ups, findings remain observations with no accountability. IPS demonstration (A) is an operational activity, not a review component. Vendor selection review (B) may result from findings but is not a standard lessons learned component. ALE calculation (C) is a quantitative risk assessment method used in risk management, not incident post-mortems.
Community Discussion
No community discussion yet for this question.