CompTIA CASP+ (CAS-004) — Question 254

Law enforcement officials informed an organization that an investigation has begun. Which of the following is the FIRST step the organization should take?

Answer options

• A. Initiate a legal hold.
• B. Refer to the retention policy.
• C. Perform e-discovery.
• D. Review the subpoena.

Correct answer: A

Explanation

The correct first step is to initiate a legal hold to preserve all relevant information and prevent any deletion or alteration of data that may be pertinent to the investigation. Referring to the retention policy, performing e-discovery, or reviewing the subpoena are subsequent steps that should be taken after a legal hold has been established.