Certified Information Security Manager (CISM) — Question 1156

What should be the FIRST step when investigating an employee suspected of inappropriately downloading proprietary information?

Answer options

• A. Check for a signed nondisclosure agreement (NDA).
• B. Review system access logs.
• C. Conduct a forensic examination of the device.
• D. Discuss the concern with the employee.

Correct answer: B

Explanation

The correct answer is B because reviewing system access logs can provide immediate insights into the employee's activities and any unauthorized access. Checking for a signed NDA (A) is important but does not directly address the suspicion. Conducting a forensic examination (C) and discussing the concern with the employee (D) are steps that may follow after initial evidence is gathered from the logs.