nerdexam
ExamsCAS-002Questions#9
CompTIA

CAS-002 · Question #9

CAS-002 Question #9: Real Exam Question with Answer & Explanation

The correct answer is A: Assess system status. The first step after a data breach is to assess the current system status to understand the scope and impact before taking any remediation action.

Question

A data breach occurred which impacted the HR and payroll system. It is believed that an attack from within the organization resulted in the data breach. Which of the following should be performed FIRST after the data breach occurred?

Options

  • AAssess system status
  • BRestore from backup tapes
  • CConduct a business impact analysis
  • DReview NIDS logs

Explanation

The first step after a data breach is to assess the current system status to understand the scope and impact before taking any remediation action.

Common mistakes.

  • B. Restoring from backup tapes before assessing the breach could overwrite forensic evidence and is premature until the scope and nature of the compromise are understood.
  • C. A business impact analysis evaluates long-term effects and is a planning-phase activity, not the immediate first step during active incident response.
  • D. Reviewing NIDS logs is part of the investigation and analysis phase, but it is a component of the broader system status assessment rather than the overarching first action.

Concept tested. Incident response first steps - system status assessment

Reference. https://csrc.nist.gov/publications/detail/sp/800-61/rev-2/final

Community Discussion

No community discussion yet for this question.

Sign up to join the discussion
Full CAS-002 Practice