CompTIA CASP+ (CAS-004) — Question 542

A security analyst is monitoring an organization's IDS and DLP systems for an alert indicating files were removed from the network. The files were from the workstation of an employee who was authenticated but not authorized to access the files. Which of the following should the organization do FIRST to address this issue?

Answer options

• A. Provide additional security awareness training.
• B. Disable the employee's credentials until the issue is resolved.
• C. Ask human resources to notify the employee that sensitive files were accessed.
• D. Isolate the employee's network segment and investigate further.

Correct answer: D

Explanation

The correct first step is to isolate the employee's network segment and investigate further to prevent any potential data exfiltration or further unauthorized access. Disabling credentials or informing HR may be necessary later, but immediate containment is critical to securing the network. Additional training may help long-term but does not address the immediate security breach.