Question 5
Domain 4: Individual Requests, Complaints and Privacy IncidentsMinutes after discovering suspicious exfiltration from a production database, what is the privacy team's first objective?
Correct answer: B
Explanation
The first objective after suspicious exfiltration is to stop further loss and preserve evidence so the incident can be investigated and remediated. Incident-response practice prioritizes containment and evidence preservation immediately after detection, before deeper analysis or notification.
Why each option is right or wrong
A. Draft a public statement before confirming any facts
B. Contain the incident and preserve evidence through the incident-response process
Under standard incident-response practice, the immediate priority after detecting possible data exfiltration is to limit further unauthorized access and preserve volatile and forensic evidence before it is altered, overwritten, or destroyed. This aligns with the incident-response lifecycle in NIST SP 800-61 Rev. 2, which places containment and evidence preservation in the initial response phase, ahead of root-cause analysis or external notification.
C. Delete affected logs so investigators do not see internal mistakes
D. Suspend all privacy operations until the next board meeting