Show Answer


The correct answer is B.

OBJ-4.1: To maintain a disciplined approach to incident response, the organization needs to document and follow procedures developed during the preparation phase. The SOC should have a call list or an escalation list as part of those procedures. This list should detail who should be called, what order, and how high up the organizational leadership chart a particular issue would reach. In almost every case, the incident response team lead should be contacted before the CEO or CIO is notified of the incident. When companies go “right to the top” of the leadership chart, the CEO and CIO will be acting on half-true or unverified information during the start of an incident response process. Instead, an established form for incident detail collection should be performed, the right technical leads should be notified of the incident, and the incident response team should be called in to analyze the information and provide a quick “stand up” report to leadership on what the issue is, what has already been done, and what they recommend doing from here to resolve the incident. All of the other options are best practices to consider and develop in the preparation phase. Still, they would not have solved the issue in this scenario of senior leadership being notified before the incident response team lead.

Hide Answer