If an organization considers taking legal action on a security incident, the information security manager should
focus PRIMARILY on:
A.
obtaining evidence as soon as possible.
B.
preserving the integrity of the evidence.
C.
disconnecting all IT equipment involved.
D.
reconstructing the sequence of events.
Explanation:
The integrity of evidence should be kept, following the appropriate forensic techniques to obtain the evidence and a chain of custody procedure to maintain the evidence (in order to be accepted in a court of law). All other options are pan of the investigative procedure, but they are not as important as preserving the integrity of the evidence.