Certified Information Systems Auditor (CISA) — Question 128

Which of the following should be the FIRST step in the incident response process for a suspected breach?

Answer options

• A. Engage a third party to independently evaluate the alerted breach.
• B. Notify business management of the security breach.
• C. Inform potentially affected customers of the security breach.
• D. Research the validity of the alerted breach.

Correct answer: D

Explanation

The correct first step is to research the validity of the alerted breach, as this determines whether any further actions are necessary. Engaging a third party, notifying management, or informing customers should only occur after confirming there is a legitimate breach. Without validating the incident, actions taken may be premature or unnecessary.