Certified Information Security Manager (CISM) — Question 216

An information security manager has been notified about a compromised endpoint device. Which of the following is the BEST course of action to prevent further damage?

Answer options

• A. Run a virus scan on the endpoint device
• B. Wipe and reset the endpoint device
• C. Power off the endpoint device
• D. Isolate the endpoint device

Correct answer: D

Explanation

Isolating the endpoint device is the best action as it prevents the spread of the compromise to other systems. Running a virus scan may not effectively address ongoing threats, wiping the device is a more drastic measure that may not be necessary immediately, and powering off the device could result in data loss or not fully contain the threat.