A retailer discovers that customer payment data may have been exposed through a third-party service. Sales leaders want to delay public communication until the investigation is complete, while IT wants to shut down the integration immediately. Which response best reflects executive-level incident governance?

Question

BlackTom AI · Accepted Answer

Containment, evidence preservation, legal/compliance involvement, and fact-based public communication form the core of executive-level incident governance.

1) Relevant knowledge points and concepts
- Incident response lifecycle: identify, contain, eradicate, recover, and lessons learned.
- Chain-of-custody and forensic preservation to support investigation and potential legal/regulatory proceedings.
- Regulatory notification obligations (data breach laws, payment card industry rules) with strict timelines.
- Roles and responsibilities: executives coordinate cross‑functional decisions (IT, legal, PR, sales, vendor management).
- Principle of least surprise: timely, accurate communication to affected parties and regulators to maintain trust and limit liability.

2) Step-by-step reasoning process
Step 1 — Contain the suspected exposure immediately to prevent further data loss (e.g., isolate or disable the third‑party integration if warranted).  
Step 2 — Preserve system logs, transaction records, and other evidence; record actions taken to maintain chain of custody.  
Step 3 — Activate the incident-response plan and assemble the incident response team (IT, security, legal, compliance, PR, vendor).  
Step 4 — Involve legal/compliance to interpret notification laws and obligations and to coordinate with law enforcement if needed.  
Step 5 — Assess notification obligations and risk to customers; determine scope and timing of disclosures.  
Step 6 — Communicate externally and internally based on verified facts only, balancing transparency with accuracy; provide actionable guidance to customers.

3) Intermediate actions (no numeric calculations required) include logging timestamps of containment, preserving copies of affected datasets, and documenting decision rationale.

4) Why this answer is correct
It prioritizes stopping harm, preserving evidence for investigation and legal defense, meeting regulatory requirements, and communicating honestly—consistent with executive stewardship and risk management.

5) Why other options are incorrect
- Waiting for full cause: delays can worsen exposure, violate notification laws, and damage credibility.  
- Letting vendor handle communications: the retailer retains responsibility for its customers and must coordinate and verify vendor claims.  
- Prioritizing sales recovery first: restoring operations before containment risks continued data loss and legal breaches.

6) Conclusion
The correct response is the second option: "Contain the suspected exposure, preserve evidence, activate the incident-response plan, involve legal/compliance, assess notification obligations, and communicate based on verified facts." This matches the provided answer.

类似问题

What is the primary purpose of the Act stage in the OODA loop?

Which of the following Incident handling process phases is responsible for defining rules, collaborating human workforce, creating a back-up plan, and testing the plans for an enterprise?

When developing an Incident Response Plan, you need procedures that ensure _________.

An Incident Response Plan does NOT _________.

Establishing logging, monitoring, and response procedures for security incidents occurs during:

更多留学生实用工具

智能学习助手

风格化写作助手

论文查重助手

文献引用助手

课堂转译助手

课堂笔记助手

Quiz搜索助手

学校历年真题

智能刷题助手

智能匹配练习

希望你的学习变得更简单