According to the incident response procedure, which of the following should the security team do NEXT?

A help desk technician inadvertently sent the credentials of the company’s CRM n clear text to an employee’s personal email account. The technician then reset the employee’s account using the appropriate process and the employee’s corporate email, and notified the security team of the incident

According to the incident response procedure, which of the following should the security team do NEXT?
A . Contact the CRM vendor.
B. Prepare an incident summary report.
C. Perform postmortem data correlation.
D. Update the incident response plan.

View Answer

Answer: C

Explanation:

The security team should perform postmortem data correlation next after receiving notification of the incident from the help desk technician. Postmortem data correlation is an activity that involves analyzing data from various sources (such as logs, alerts, reports, etc.) to identify root causes, impacts, indicators of compromise (IoCs), lessons learned, and recommendations for improvement after an incident3. Postmortem data correlation can help the security team to:

✑ Determine how the incident occurred and how it was detected and resolved

✑ Assess the scope and severity of the incident and its effects on confidentiality, integrity, and availability

✑ Identify any gaps or weaknesses in security controls or processes that contributed to the incident

✑ Develop action plans or remediation strategies to prevent recurrence or mitigate future incidents