CompTIA CySA+ (CS0-002) — Question 304

During an incident, it is determined that a customer database containing email addresses, first names, and last names was exfiltrated. Which of the following should the security analyst do NEXT?

Answer options

• A. Consult with the legal department for regulatory impact.
• B. Encrypt the database with available tools.
• C. Email the customers to inform them of the breach.
• D. Follow the incident communications process.

Correct answer: D

Explanation

The correct action is to follow the incident communications process, as this ensures that all necessary stakeholders are informed and that the response is organized. Consulting with the legal department or emailing customers can be part of the process, but they should not be the first step taken. Encrypting the database is not a suitable immediate response after a breach has occurred.