Certified Information Security Manager (CISM) — Question 1218

An incident response team has established that an application has been breached. Which of the following should be done NEXT?

Answer options

• A. Maintain the affected systems in a forensically acceptable state.
• B. Inform senior management of the breach.
• C. Isolate the impacted systems from the rest of the network.
• D. Conduct a risk assessment on the affected application.

Correct answer: C

Explanation

The correct action is to isolate the impacted systems from the rest of the network to prevent further damage and data loss. While maintaining forensics, informing management, and conducting a risk assessment are important steps, they should come after ensuring the immediate threat is contained.