CompTIA CySA+ (CS0-001) — Question 96

A SIEM analyst noticed a spike in activities from the guest wireless network to several electronic health record (EHR) systems. After further analysis, the analyst discovered that a large volume of data has been uploaded to a cloud provider in the last six months. Which of the following actions should the analyst do FIRST?

Answer options

• A. Contact the Office of Civil Rights (OCR) to report the breach
• B. Notify the Chief Privacy Officer (CPO)
• C. Activate the incident response plan
• D. Put an ACL on the gateway router

Correct answer: D

Explanation

The correct action is to implement an ACL on the gateway router to quickly restrict unauthorized access and prevent further data exfiltration. Notifying the CPO and OCR may be necessary later but should follow immediate containment measures. Activating the incident response plan is essential, but first securing the network is critical to stop potential ongoing breaches.