CompTIA CySA+ (CS0-003) — Question 476

During an incident, a security analyst discovers a large amount of PII has been emailed externally from an employee to a public email address. The analyst finds that the external email is the employee’s personal email. Which of the following should the analyst recommend be done first?

Answer options

• A. Place a legal hold on the employee’s mailbox.
• B. Enable filtering on the web proxy.
• C. Disable the public email access with CASB.
• D. Configure a deny rule on the firewall.

Correct answer: C

Explanation

The correct answer is C because disabling access to the public email via CASB will prevent any further data leakage from occurring. The other options, while they may be relevant later, do not immediately stop the ongoing risk of sensitive data being sent to an unauthorized external source.