(ISC)2(ISC)2
CISSP · Question #340
CISSP Question #340: Real Exam Question with Answer & Explanation
Sign in or unlock CISSP to reveal the answer and full explanation for question #340. The question stem and answer options stay visible for context.
Submitted by chen.hong· Mar 5, 2026Security Operations
Question
A Security Operations Center (SOC) receives an incident response notification on a server with an active intruder who has planted a backdoor. Initial notifications are sent and communications are established. What MUST be considered or evaluated before performing the next step?
Options
- ANotifying law enforcement is crucial before hashing the contents of the server hard drive
- BIdentifying who executed the incident is more important than how the incident happened
- CRemoving the server from the network may prevent catching the intruder
- DCopying the contents of the hard drive to another storage device may damage the evidence
Unlock CISSP to see the answer
You've previewed enough free CISSP questions. Unlock CISSP for full answers, explanations, the timed quiz mode, progress tracking, and the master PDF. Question stem and options stay visible so you can still see what's on the exam.
Topics
#incident response#active intruder#containment strategies#forensics considerations