An information security manager believes that a network file server was compromised by a hacker. Which of
the following should be the FIRST action taken?
A.
Unsure that critical data on the server are backed up.
B.
Shut down the compromised server.
C.
Initiate the incident response process.
D.
Shut down the network.
Explanation:
The incident response process will determine the appropriate course of action. If the data have been corrupted by a hacker, the backup may also be corrupted. Shutting down the server is likely to destroy any forensic evidence that may exist and may be required by the investigation. Shutting down the network is a drastic action,
especially if the hacker is no longer active on the network.