Certified Information Security Manager (CISM) — Question 989

Which of the following should be the FIRST step when performing triage of a malware incident?

Answer options

• A. Preserving the forensic image
• B. Containing the affected system
• C. Comparing backup against production
• D. Removing the malware

Correct answer: B

Explanation

The correct first step in triaging a malware incident is to contain the affected system to prevent further damage or spread of the malware. Preserving the forensic image is important but comes after containment, while comparing backups and removing the malware are also subsequent actions that follow the initial containment step.