Certified Information Systems Security Professional (CISSP) — Question 207

Which is the FIRST action the Incident Response team should take when an incident is suspected?

Answer options

• A. Choose a containment strategy.
• B. Record all facts regarding the incident.
• C. Attempt to identify the attacker.
• D. Notify management of the incident.

Correct answer: B

Explanation

The first action should be to document all details regarding the incident, as this provides a factual basis for further investigation and response. Choosing a containment strategy (A), identifying the attacker (C), or notifying management (D) may all be important steps, but they should come after ensuring that all facts about the incident are properly recorded.