CompTIA
CAS-002 · Question #301
CAS-002 Question #301: Real Exam Question with Answer & Explanation
The correct answer is D: Discussion of event timeline. A lessons learned meeting following a security incident should focus on understanding what happened and ensuring corrective actions are tracked - the timeline review and follow-up assignments are the core components.
Question
A security officer is leading a lessons learned meeting. Which of the following should be components of that meeting? (Select TWO).
Options
- ADemonstration of IPS system
- BReview vendor selection process
- CCalculate the ALE for the event
- DDiscussion of event timeline
- EAssigning of follow up items
Explanation
A lessons learned meeting following a security incident should focus on understanding what happened and ensuring corrective actions are tracked - the timeline review and follow-up assignments are the core components.
Common mistakes.
- A. A demonstration of the IPS system is a technical training activity unrelated to the retrospective analysis of a specific incident.
- B. Reviewing the vendor selection process is a procurement governance activity that is not a standard component of an incident lessons learned meeting.
- C. Calculating the Annual Loss Expectancy (ALE) is a quantitative risk assessment technique used in risk management planning, not in post-incident lessons learned meetings.
Concept tested. Incident response lessons learned meeting components
Reference. https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-61r2.pdf
Community Discussion
No community discussion yet for this question.