ISACA CISM: what should security team do NEXT after cyberattack resulting in data loss

Question

An organization’s operations have been significantly impacted by a cyberattack resulting in data loss. Once the attack has been contained, what should the security team do NEXT?

A. Update the incident response plan.
B. Perform a root cause analysis.
C. Implement compensating controls.
D. Conduct a lessons learned exercise.

Answer

D. Conduct a lessons learned exercise.

Explanation

The correct answer is D. Conduct a lessons learned exercise. This is because a lessons learned exercise is a process of reviewing and evaluating the incident response activities, identifying the strengths and weaknesses, and documenting the findings and recommendations for improvement. A lessons learned exercise can help the security team to learn from the experience, enhance their skills and knowledge, and improve their incident response plan and procedures for future incidents.

The other options are not the next steps that the security team should do after containing the attack. Updating the incident response plan (A) is a good practice, but it should be done based on the results of the lessons learned exercise, not before. Performing a root cause analysis (B) is also important, but it should be done as part of the investigation phase, not after containing the attack. Implementing compensating controls is also beneficial, but it should be done as part of the recovery phase, not after containing the attack.

Therefore, conducting a lessons learned exercise (D) is the most appropriate next step for the security team to do after containing a cyberattack resulting in data loss.

Reference

Isaca Certified Information Security Manager CISM certification exam practice question and answer (Q&A) dump with detail explanation and reference available free, helpful to pass the Isaca Certified Information Security Manager CISM exam and earn Isaca Certified Information Security Manager CISM certification.