CompTIA CySA+ (CS0-003) — Question 508

Which of the following describes how a CSIRT lead determines who should be communicated with and when during a security incident?

Answer options

• A. The lead should review what is documented in the incident response policy or plan
• B. Management level members of the CSIRT should make that decision
• C. The lead has the authority to decide who to communicate with at any t me
• D. Subject matter experts on the team should communicate with others within the specified area of expertise

Correct answer: A

Explanation

The correct answer is A because the incident response policy or plan provides guidance on communication protocols during a security incident. Option B is incorrect as it suggests that only management should decide communication, which may not always be appropriate. Option C is misleading because while the lead has authority, they should still follow established protocols. Option D incorrectly implies that only subject matter experts should communicate, which does not encompass the broader responsibilities of the CSIRT lead.