CompTIA CySA+ (CS0-002) — Question 29

Following a recent security breach, a company decides to investigate account usage to ensure privileged accounts are only being utilized during typical business hours. During the investigation, a security analyst determines an account was consistently utilized in the middle of the night. Which of the following actions should the analyst take NEXT?

Answer options

• A. Disable the privileged account.
• B. Initiate the incident response plan.
• C. Report the discrepancy to human resources.
• D. Review the activity with the user.

Correct answer: D

Explanation

The correct next step is to review the activity with the user to understand the context behind the unusual usage pattern. Disabling the account or initiating the incident response plan may be premature without first gathering more information. Reporting to human resources may not address the immediate security concern effectively.