CompTIA CASP+ (CAS-003) — Question 38

A hospital's security team recently determined its network was breached and patient data was accessed by an external entity. The Chief Information Security
Officer (CISO) of the hospital approaches the executive management team with this information, reports the vulnerability that led to the breach has already been remediated, and explains the team is continuing to follow the appropriate incident response plan. The executive team is concerned about the hospital's brand reputation and asks the CISO when the incident should be disclosed to the affected patients. Which of the following is the MOST appropriate response?

Answer options

• A. When it is mandated by their legal and regulatory requirements
• B. As soon as possible in the interest of the patients
• C. As soon as the public relations department is ready to be interviewed
• D. When all steps related to the incident response plan are completed
• E. Upon the approval of the Chief Executive Officer (CEO) to release information to the public

Correct answer: A

Explanation

The most appropriate response is A because notifying patients when legally required ensures compliance with legal and regulatory standards, protecting the hospital from potential legal repercussions. Other options, while well-intentioned, may compromise legal obligations or lead to delays that are not in the best interest of transparency and accountability.