CompTIA Security+ (SY0-601) — Question 93

A security analyst needs to produce a document that details how a security incident occurred, the steps that were taken for recovery, and how future incidents can be avoided. During which of the following stages of the response process will this activity take place?

Answer options

• A. Recovery
• B. Identification
• C. Lessons learned
• D. Preparation

Correct answer: C

Explanation

The correct answer is 'C. Lessons learned' because this stage focuses on analyzing the incident to derive insights for future prevention. The other stages—'A. Recovery,' 'B. Identification,' and 'D. Preparation'—do not specifically address the documentation and analysis of past incidents for future improvements.