SY0-501 · Question #367
SY0-501 Question #367: Real Exam Question with Answer & Explanation
The correct answer is A: Lessons learned. This question tests knowledge of the incident response lifecycle phases, specifically the post-incident activity where teams review and document what occurred.
Question
After a security incident, management is meeting with involved employees to document the incident and its aftermath. Which of the following BEST describes this phase of the incident response process?
Options
- ALessons learned
- BRecovery
- CIdentification
- DPreparation
Explanation
This question tests knowledge of the incident response lifecycle phases, specifically the post-incident activity where teams review and document what occurred.
Common mistakes.
- B. Recovery is the phase focused on restoring affected systems and services back to normal operation, not documenting the incident aftermath with employees.
- C. Identification (also called Detection/Analysis) is the phase where the team determines whether an event constitutes an actual security incident, which occurs early in the response process before remediation.
- D. Preparation is the phase that occurs before any incident, involving establishing policies, tools, and training so the team is ready to respond effectively when an incident does occur.
Concept tested. Incident response lifecycle phases and lessons learned
Reference. https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-61r2.pdf
Community Discussion
No community discussion yet for this question.