Certified Information Security Manager (CISM) — Question 745

If civil litigation is a goal for an organizational response to a security incident, the PRIMARY step should be to:

Answer options

• A. capture evidence using standard server-backup utilities.
• B. document the chain of custody.
• C. reboot affected machines in a secure area to search for evidence.
• D. contact law enforcement.

Correct answer: B

Explanation

The correct answer is B, as documenting the chain of custody is crucial for ensuring that evidence is preserved and can be used in court. Options A and C do not prioritize the legal aspects of evidence handling, while option D, although important, is not the primary step in preparing for civil litigation.