iSACA Cybersecurity Fundamentals Certification Practice Exam

What does the IRP eradication phase involve?

• A. Verifying the incident severity
• B. Locating backups and improving defenses
• C. Establishing communication protocols
• D. Notifying stakeholders of incidents

The correct answer is: Locating backups and improving defenses

The eradication phase of an Incident Response Plan (IRP) focuses primarily on removing the threats or vulnerabilities that allowed the incident to occur in the first place. This includes locating and restoring backups to ensure that any data compromised during an incident is recovered and that systems can be restored to a secure state. Improving defenses is also a crucial part of this phase, as it involves analyzing the incident to identify weaknesses and implement changes to prevent a similar occurrence in the future. In this context, locating backups is essential because having reliable backups can significantly reduce downtime and data loss in the event of a cybersecurity incident. Additionally, enhancing defenses may involve patching vulnerabilities, updating security protocols, and strengthening access controls based on insights gained during the incident. The other choices relate to important actions that are part of the overall incident response process but do not specifically define the eradication phase. For instance, verifying the incident severity typically occurs earlier in the response process, while establishing communication protocols and notifying stakeholders focus on ensuring that relevant parties are informed and can respond effectively throughout the incident lifecycle. Therefore, the key focus of the eradication phase is indeed on addressing the underlying issues that led to the incident, making the understanding of this phase critical for effective incident management.