Certified Information Systems Auditor (CISA) — Question 427

When an intrusion into an organization's network is detected, which of the following should be done FIRST?

Answer options

• A. Contact law enforcement.
• B. Identify nodes that have been compromised.
• C. Block all compromised network nodes.
• D. Notify senior management

Correct answer: B

Explanation

The correct first step is to identify nodes that have been compromised (B) to understand the extent of the breach. Contacting law enforcement (A) or notifying senior management (D) may be important, but without first assessing the compromised areas, those actions may not be effective. Blocking all compromised nodes (C) is also a reactive step that should follow the identification process.