Certified Information Security Manager (CISM) — Question 905

When responding to an incident involving malware on a server, which of the following should be done FIRST?

Answer options

• A. Isolate the server from the network.
• B. Identify the owner of the server.
• C. Locate the most recent backups.
• D. Investigate the source of the malware.

Correct answer: A

Explanation

The first action in a malware incident is to isolate the server from the network to prevent further spread of the malware. Identifying the server's owner, locating backups, and investigating the source of the malware are important but should be done after containment to ensure the integrity of the network.