SY0-501 · Question #338
SY0-501 Question #338: Real Exam Question with Answer & Explanation
The correct answer is D: Tabletop exercise. To shorten incident response times using historical data, an organization should conduct tabletop exercises. These exercises allow for the practical application and refinement of incident response plans and communication strategies based on past performance metrics.
Question
A director of IR is reviewing a report regarding several recent breaches. The director complies the following statistics: - Initial IR engagement time frame - Length of time before an executive management notice went out - Average IR phase completion The director wants to use data to shorten the response time. Which of the following would accomplish this?
Options
- ACSIRT
- BContainment phase
- CEscalation notifications
- DTabletop exercise
Explanation
To shorten incident response times using historical data, an organization should conduct tabletop exercises. These exercises allow for the practical application and refinement of incident response plans and communication strategies based on past performance metrics.
Common mistakes.
- A. A CSIRT is the team responsible for incident response, not a specific activity or methodology for using data to proactively shorten response times across multiple incidents.
- B. The containment phase is a specific stage within the incident response lifecycle focused on limiting the scope of an ongoing incident, rather than a mechanism for improving overall future response times through data analysis.
- C. Escalation notifications are a communication component of incident response; while vital, they do not inherently provide a framework for analyzing historical data to proactively shorten the entire incident response process.
Concept tested. Improving Incident Response through Exercises and Analysis
Reference. https://learn.microsoft.com/en-us/security/benchmark/azure/plan-conduct-tabletop-exercise
Community Discussion
No community discussion yet for this question.