CompTIA Security Plus Mock Test Q305

In which of the following steps of incident response does a team analyse the incident and determine steps to prevent a future occurrence?

A. Mitigation
B. Identification
C. Preparation
D. Lessons learned

Correct Answer: D
Section: Compliance and Operational Security

Explanation:
Incident response procedures involves in chronological order: Preparation; Incident identification; Escalation and notification; Mitigation steps; Lessons learned; Reporting; Recover/ reconstitution procedures; First responder; Incident isolation (Quarantine; Device removal); Data breach; Damage and loss control. Thus lessons are only learned after the mitigation occurred. For only then can you ‘step back’ and analyze the incident to prevent the same occurrence in future.

Incorrect Answers:
A: Mitigation is accomplished anytime that any steps has been taken to reduce risk.
B: When responding to an incident the identification of the incident is essential to know how to handle the incident and then take steps. This happens way before an incident is analyzed to determine which steps to take to prevent the same occurrence in future.
C: Preparation involves all the preventative measures that are taken to prevent any risk incident. This does not means that an incident already occurred as is alluded to in the question.

References:
Dulaney, Emmett and Chuck Eastton, CompTIA Security+ Study Guide, 6th Edition, Sybex, Indianapolis, 2014, p. 429