CompTIA Security+ (SY0-601) — Question 749

A security incident has been resolved. Which of the following BEST describes the importance of the final phase of the incident response plan?

Answer options

• A. It examines and documents how well the team responded, discovers what caused the incident, and determines how the incident can be avoided in the future.
• B. It returns the affected systems back into production once systems have been fully patched, data restored, and vulnerabilities addressed.
• C. It identifies the incident and the scope of the breach, how it affects the production environment, and the ingress point.
• D. It contains the affected systems and disconnects them from the network, preventing further spread of the attack or breach.

Correct answer: A

Explanation

Option A is correct because it highlights the necessity of reviewing the incident response to improve future efforts by analyzing the response effectiveness, root cause, and preventive measures. Options B, C, and D focus on recovery and containment rather than the critical review and learning process that occurs in the final phase of the incident response plan.