CompTIA Security+ (SY0-501) — Question 877
A newly hired Chief Security Officer (CSO) is reviewing the company's IRP and notices the procedures for zero-day malware attacks are being poorly executed, resulting in the CSIRT failing to address and coordinate malware removal from the system. Which of the following phases would BEST address these shortcomings?
Answer options
- A. Identification
- B. Lessons learned
- C. Recovery
- D. Preparation
- E. Eradication
Correct answer: B
Explanation
The 'Lessons learned' phase is crucial for analyzing what went wrong during the incident response, allowing the organization to improve future responses. Other phases like 'Identification', 'Recovery', 'Preparation', and 'Eradication' focus on immediate actions rather than reflecting on past mistakes to enhance future protocols.