CompTIA Security+ (SY0-501) — Question 66

A security analyst notices anomalous activity coming from several workstations in the organizations. Upon identifying and containing the issue, which of the following should the security analyst do NEXT?

Answer options

• A. Document and lock the workstations in a secure area to establish chain of custody
• B. Notify the IT department that the workstations are to be reimaged and the data restored for reuse
• C. Notify the IT department that the workstations may be reconnected to the network for the users to continue working
• D. Document findings and processes in the after-action and lessons learned report

Correct answer: D

Explanation

The correct answer is D because documenting findings and processes ensures that lessons learned can be applied in the future and helps improve incident response. Options A and B may be necessary actions but are not the immediate next step after containment. Option C is inappropriate as it could lead to further exposure if the issue has not been fully resolved.