SY0-301 · Question #633
Who should be contacted FIRST in the event of a security breach?
The correct answer is C. Incident response team. The incident response team must be contacted first during a security breach to coordinate containment, eradication, and recovery before other stakeholders are engaged.
Question
Who should be contacted FIRST in the event of a security breach?
Options
- AForensics analysis team
- BInternal auditors
- CIncident response team
- DSoftware vendors
How the community answered
(41 responses)- A2% (1)
- B2% (1)
- C88% (36)
- D7% (3)
Why each option
The incident response team must be contacted first during a security breach to coordinate containment, eradication, and recovery before other stakeholders are engaged.
Forensic analysts are engaged after the incident response team has secured and scoped the breach, not as the first contact.
Internal auditors focus on compliance verification and are not equipped to lead containment of an active security breach.
The incident response team owns the structured process for containing and managing a security breach according to frameworks such as NIST SP 800-61. Contacting them first ensures the breach is properly contained before evidence is disturbed, minimizing damage and preserving forensic integrity. All other roles - forensics, auditors, and vendors - are brought in as directed by the incident response process.
Software vendors may be involved if a product vulnerability is identified, but only after the incident response team has assessed the situation.
Concept tested: Incident response team as first point of contact
Source: https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-61r2.pdf
Topics
Community Discussion
No community discussion yet for this question.