Certified Information Security Manager (CISM) — Question 217
During which of the following phases should an incident response team document actions required to remove the threat that caused the incident?
Answer options
- A. Eradication
- B. Identification
- C. Containment
- D. Post-incident review
Correct answer: A
Explanation
The correct answer is A, Eradication, because this phase focuses on removing the threat from the environment. Identification is about recognizing the incident, Containment is about limiting its impact, and Post-incident review occurs after the incident has been resolved, making them less relevant for documenting removal actions.