When a possible intrusion into your organization’s information system has been detected, which of the following
actions should be performed first?
A.
Eliminate all means of intruder access.
B.
Contain the intrusion.
C.
Determine to what extent systems and data are compromised.
D.
Communicate with relevant parties.
Explanation:
If the event is determined to be a real incident, it is identified and classified. Once we understand the severity of
the incident taking place, we move on to the next stage, which is investigation. Investigation involves the proper
collection of relevant data, which will be used in the analysis and following stages. The goals of these stages
are to reduce the impact of the incident, identify the cause of the incident, resume operations as soon as
possible, and apply what was learned to prevent the incident from recurring.
Incorrect Answers:
A: Before we can eliminate intruder access we would have to determine the extent of the intrusion.
B: Before containing the intrusion we need to determine the extent of the intrusion.
D: Before we can communicate with the relevant parties we need to determine the extent of the intrusion.Harris, Shon, All In One CISSP Exam Guide, 6th Edition, McGraw-Hill, New York, 2013, p. 1038