Certified Information Systems Auditor (CISA) — Question 277

A data breach has occurred due to malware. Which of the following should be the FIRST course of action?

Answer options

• A. Shut down the affected systems.
• B. Quarantine the impacted systems.
• C. Notify customers of the breach.
• D. Notify the cyber insurance company

Correct answer: B

Explanation

The correct answer is B, as quarantining the impacted systems prevents the malware from spreading and protects other assets. Shutting down systems (A) may not effectively stop the breach, notifying customers (C) is premature without understanding the extent of the breach, and alerting the cyber insurance company (D) is also secondary to containing the breach.