After discovering a security incident, what is the second recommended step?

Unlock all questions

This demo includes only 20 questions. Upgrade to access hundreds of questions, flashcards, exam simulations, and disable ads.

Full question bankExam simulationsFlashcards
From $24.99Unlock all

Study for the Information Systems Technician Second Class (IT2) Advancement Exam with our extensive set of flashcards and multiple-choice questions. Each question is accompanied by hints and thorough explanations. Enhance your knowledge and prepare for success!

Multiple Choice

After discovering a security incident, what is the second recommended step?

Explanation:
Preserving evidence is the key step to take after you’ve contained the incident. Once you’ve stopped the spread or further damage, you need to secure artifacts that will allow the investigation to proceed reliably. This means creating and safeguarding logs, disk images, memory captures, and network traffic data, while maintaining a strict chain of custody so the data stays admissible and trustworthy. If data is altered or logs are cleared, you lose the ability to reconstruct what happened, who was involved, and when it occurred. Preserving this evidence supports root-cause analysis, potential legal or regulatory actions, and informs how to recover and prevent recurrence. Notifying the supervisor or CSIRT and documenting what happened are important steps too, but they’re most effective once evidence has been preserved so the response team has solid information to work with.

Preserving evidence is the key step to take after you’ve contained the incident. Once you’ve stopped the spread or further damage, you need to secure artifacts that will allow the investigation to proceed reliably. This means creating and safeguarding logs, disk images, memory captures, and network traffic data, while maintaining a strict chain of custody so the data stays admissible and trustworthy. If data is altered or logs are cleared, you lose the ability to reconstruct what happened, who was involved, and when it occurred. Preserving this evidence supports root-cause analysis, potential legal or regulatory actions, and informs how to recover and prevent recurrence. Notifying the supervisor or CSIRT and documenting what happened are important steps too, but they’re most effective once evidence has been preserved so the response team has solid information to work with.

More Multiple Choice Questions
Subscribe

Get the latest from Examzify

You can unsubscribe at any time. Read our privacy policy