CompTIA Security Plus Mock Test Q304

Who should be contacted FIRST in the event of a security breach?

A. Forensics analysis team
B. Internal auditors
C. Incident response team
D. Software vendors


Correct Answer: C
Section: Compliance and Operational Security

Explanation:
A security breach is an incident and requires a response. The incident response team would be better equipped to deal with any incident insofar as all their procedures are concerned. Their procedures in addressing incidents are: Preparation; Incident identification; Escalation and notification; Mitigation steps; Lessons learned; Reporting; Recover/reconstitution procedures; First responder; Incident isolation (Quarantine; Device removal); Data breach; Damage and loss control.

Incorrect Answers:
A: A forensics analysis involves the evidence found in computers and on digital storage media and incident response encompasses forensics and refers to the process of identifying, investigating, repairing, documenting, and adjusting procedures to prevent another incident.
B: Internal auditing is part of the job description of the incident response team when they perform their documenting and recording of the costs involved addressing the incident.
D: Software vendors are only contacted when the incident response team deems it necessary. Thus the first contact in the event of a security breach is the incident response team.

References:
Dulaney, Emmett and Chuck Eastton, CompTIA Security+ Study Guide, 6th Edition, Sybex, Indianapolis, 2014, pp. 429, 446