CISM Certified Information Security Manager – Question1404 - CISM Certified Information Security Manager

An information security manager believes that a network file server was compromised by a hacker. Which of the following should be the FIRST action taken?

A. Unsure that critical data on the server are backed up.
B. Shut down the compromised server.
C. Initiate the incident response process.
D. Shut down the network.

Correct Answer: C

Explanation:

Explanation:
The incident response process will determine the appropriate course of action. If the data have been corrupted by a hacker, the backup may also be corrupted. Shutting down the server is likely to destroy any forensic evidence that may exist and may be required by the investigation. Shutting down the network is a drastic action, especially if the hacker is no longer active on the network.