CompTIA CASP+ (CAS-003) — Question 235

Confidential information related to Application A, Application B, and Project X appears to have been leaked to a competitor. After consulting with the legal team, the IR team is advised to take immediate action to preserve evidence for possible litigation and criminal charges.
While reviewing the rights and group ownership of the data involved in the breach, the IR team inspects the following distribution group access lists:
Group Name: product-updates-application-a
Members: administrator, app-support, dev-ops, jdoe, jsmith, mpeters
Group Name: pending-bug-fixes-application-a
Members: administrator, app-support, dev-ops, jsmith, jdoe, mpeters, rwilliams
Group Name: inflight-updates-application-b
Members: app-support, dev-ops, jdoe, nbrown, jsmith

Group Name: PoC-project-x -
Members: dev-support, product-mgt, jsmith, nbrown, rwilliams
Which of the following actions should the IR team take FIRST?

Answer options

• A. Remove all members from the distribution groups immediately
• B. Place the mailbox for jsmith on legal hold
• C. Implement a proxy server on the network to inspect all outbound SMTP traffic for the DevOps group
• D. Install DLP software on all developer laptops to prevent data from leaving the network

Correct answer: A

Explanation

The correct first action is to remove all members from the distribution groups to prevent further access to sensitive information and protect evidence. Placing jsmith's mailbox on legal hold and installing DLP software are important but would not be the immediate action to secure the data. Implementing a proxy server to inspect outbound traffic is also a follow-up action but not as urgent as removing access.