CompTIA Security+ (SY0-601) — Question 839

The SOC is reviewing processes and procedures after a recent incident. The review indicates it took more than 30 minutes to determine that quarantining an infected host was the best course of action. This allowed the malware to spread to additional hosts before it was contained. Which of the following would be BEST to improve the incident response process?

Answer options

• A. Updating the playbooks with better decision points
• B. Dividing the network into trusted and untrusted zones
• C. Providing additional end-user training on acceptable use
• D. Implementing manual quarantining of infected hosts

Correct answer: A

Explanation

Updating the playbooks with better decision points (A) ensures that the incident response team has clear, effective guidelines to follow, which can significantly reduce the time taken to make critical decisions during an incident. The other options, while beneficial in certain contexts, do not directly address the need for improved decision-making speed and clarity during an incident response.