GIAC Security Leadership Certification (GSLC) — Question 14

Once the SOC command center notifies the appropriate internal and external parties that an incident is taking place, what should happen next?

Answer options

• A. Temporary measures should be put in place to prevent further damage to systems or the network
• B. The SOC should report the root cause of the incident to incident handlers and IT operations
• C. Procedures for restoring affected systems should be drafted by the incident handling team
• D. Forensics analysts should assess affected systems to assure malicious artifacts have been removed

Correct answer: B

Explanation

The correct answer is B because it is crucial for the SOC to communicate the root cause of the incident to the incident handlers and IT operations to facilitate an effective response. Option A, while important, focuses on immediate damage control rather than understanding the incident's cause. Option C pertains to recovery procedures, and option D involves forensics, both of which follow the analysis of the root cause.