CompTIA Security+ (SY0-501) — Question 908

A systems administrator has isolated an infected system from the network and terminated the malicious process from executing.
Which of the following should the administrator do NEXT according to the incident response process?

Answer options

• A. Restore lost data from a backup.
• B. Wipe the system.
• C. Document the lessons learned.
• D. Notify regulations of the incident.

Correct answer: A

Explanation

The correct action is to restore lost data from a backup, as this is essential for recovery after an incident. Wiping the system might be considered later, but immediate restoration is prioritized to recover operational capabilities. Documenting lessons learned and notifying regulations are important but come after ensuring the system is operational again.