CISM Certified Information Security Manager – Question1279

An organization has determined that one of its web servers has been compromised. Which of the following actions should be taken to preserve the evidence of the intrusion for forensic analysis and potential litigation?

A.
Reboot the server in a secure area to search for digital evidence.
B. Unplug the server from the power.
C. Restrict physical and logical access to the server.
D. Run analysis tools to detect the source of the intrusion.

Correct Answer: C