CompTIA CySA+ (CS0-003) — Question 493

An incident response team finished responding to a significant security incident. The management team has asked the lead analyst to provide an after-action report that includes lessons learned. Which of the following is the most likely reason to include lessons learned?

Answer options

• A. To satisfy regulatory requirements for incident reporting
• B. To hold other departments accountable
• C. To identify areas of improvement in the incident response process
• D. To highlight the notable practices of the organization's incident response team

Correct answer: C

Explanation

The correct answer is C because the purpose of including lessons learned is to pinpoint areas where the incident response process can be improved for future incidents. Option A, while relevant for compliance, is not the main focus of the report. Option B suggests accountability rather than improvement, and option D, although it highlights positive practices, does not directly address the need for enhancements.