In which of the following steps of incident response does a team analyse the incident and determine
steps to prevent a future occurrence?

A.
Mitigation

B.
Identification

C.
Preparation

D.
Lessons learned

Explanation:
Incident response procedures involves in chronological order: Preparation; Incident identification;
Escalation and notification; Mitigation steps; Lessons learned; Reporting; Recover/reconstitution
procedures; First responder; Incident isolation (Quarantine; Device removal); Data breach; Damage and
loss control. Thus lessons are only learned after the mitigation occurred. For only then can you ‘step back’
and analyze the incident to prevent the same occurrence in future.
Incorrect Answers:
A: Mitigation is accomplished anytime that any steps has been taken to reduce risk.
B: When responding to an incident the identification of the incident is essential to know how to handle
the incident and then take steps. This happens way before an incident is analyzed to determine which
steps to take to prevent the same occurrence in future.
C: Preparation involves all the preventative measures that are taken to prevent any risk incident. This
does not means that an incident already occurred as is alluded to in the question.
Dulaney, Emmett and Chuck Eastton, CompTIA Security+ Study Guide, 6th Edition, Sybex, Indianapolis,
2014, p. 429