CISSP · Question #4
CISSP Question #4: Real Exam Question with Answer & Explanation
The correct answer is D: Investigate all symptoms to confirm the incident. The first step in incident response is to investigate and confirm that an actual incident has occurred before taking any remediation actions. Acting without confirmation risks disrupting normal operations unnecessarily.
Question
Which of the following is the FIRST step in the incident response process?
Options
- ADetermine the cause of the incident
- BDisconnect the system involved from the network
- CIsolate and contain the system involved
- DInvestigate all symptoms to confirm the incident
Explanation
The first step in incident response is to investigate and confirm that an actual incident has occurred before taking any remediation actions. Acting without confirmation risks disrupting normal operations unnecessarily.
Common mistakes.
- A. Determining the root cause is part of the later analysis or post-incident activity phase, not the first step, as you must first confirm an incident exists before performing root cause analysis.
- B. Disconnecting a system from the network is a containment action that occurs after the incident has been identified and confirmed, and premature disconnection can destroy volatile forensic evidence.
- C. Isolating and containing the affected system is the second major phase of incident response, which only begins after the incident has been identified and verified through initial investigation.
Concept tested. Incident response lifecycle identification phase order
Reference. https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-61r2.pdf
Topics
Community Discussion
No community discussion yet for this question.