A security team member calls you to inform you that one of your databases might have been compromised, but there are no details available. As the security leader, what should you do?
A.
Tell her to initiate the incident response plan
B.
Tell her to provide updates as they become available
C.
Tell her to disconnect the servers connected to the database and call the help desk
D.
Tell her to perform initial forensics and preserve system integrity
Comprehensive and Detailed 250–300 Words Explanation From Exact Extract from Chief Information Security Officer (CCISO) Documents:
According to the EC-Council CCISO Body of Knowledge, the correct response to a suspected compromise—even without full details—is to initiate the incident response plan. CCISO guidance emphasizes that incident response plans are designed specifically for uncertain, evolving situations.
Initiating the plan does not imply panic or overreaction; instead, it activates predefined roles, communication paths, escalation criteria, and investigation procedures. CCISO materials stress that delaying activation until confirmation increases risk exposure and impact.
Performing forensics or disconnecting systems prematurely may destroy evidence or disrupt business unnecessarily. Waiting for updates without action contradicts CCISO guidance on proactive response.
Thus, initiating the incident response plan is the most appropriate leadership action.
Contribute your Thoughts:
Chosen Answer:
This is a voting comment (?). You can switch to a simple comment. It is better to Upvote an existing comment if you don't have anything to add.
Submit