CompTIA Security Plus Mock Test Q302

The Chief Technical Officer (CTO) has tasked The Computer Emergency Response Team (CERT) to develop and update all Internal Operating Procedures and Standard Operating Procedures documentation in order to successfully respond to future incidents. Which of the following stages of the Incident Handling process is the team working on?

A.
Lessons Learned
B. Eradication
C. Recovery
D. Preparation

Correct Answer: D
Section: Compliance and Operational Security

Explanation:
Incident response procedures involves: Preparation; Incident identification; Escalation and notification; Mitigation steps; Lessons learned; Reporting; Recover/reconstitution procedures; First responder; Incident isolation (Quarantine; Device removal); Data breach; Damage and loss control. Developing and updating all internal operating and standard operating procedures documentation to handle future incidents is preparation.

Incorrect Answers:
A: Lessons learned presumes that the incident already occurred and developing and updating procedures for handling future incidents means that the incident has not occurred yet.
B: Eradication assumes that the incident already occurred.
C: Recovery is a phase that happens after the incident occurred.

References:
Dulaney, Emmett and Chuck Eastton, CompTIA Security+ Study Guide, 6th Edition, Sybex, Indianapolis, 2014