ISC2 Systems Security Certified Practitioner (SSCP) Practice Question
After containing and eradicating a cryptomining malware infection in an Amazon EC2-based web application, the response team is preparing to return the affected instances to production. According to incident-response best practices, which action should the security administrator take during the recovery phase to meet incidentādocumentation requirements and support future improvements?
Delete the forensic EBS snapshots after verifying they are no longer needed to reduce ongoing storage costs.
Record a detailed timeline of actions, remediation steps, and evidence locations in the organization's incident ticket before bringing the servers back online.
Open new change-management tickets assigning developers to patch the vulnerable code without modifying the original incident record.
Simply relaunch the instances from a golden AMI and mark the incident as closed once user testing is successful.
Comprehensive documentation is a required activity during the recovery phase of the incident-response lifecycle defined by NIST SP 800-61 and ISO/IEC 27035. Updating the central incident record with a detailed timeline, remediation steps, evidence locations, and pending lessons-learned tasks preserves critical information while events are still fresh, enables post-incident review, and satisfies audit requirements. Merely restoring instances, deleting snapshots, or running an automated backup do not capture the information needed for effective lessons learned, legal inquiries, or compliance audits. Assigning developers new tickets may track code fixes, but without the complete chronology and artifacts of the incident it does not fulfill the broader documentation obligation.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
Why is incident documentation important in the recovery phase?
Open an interactive chat with Bash
What is NIST SP 800-61?
Open an interactive chat with Bash
What is ISO/IEC 27035 and how does it relate to incident response?
Open an interactive chat with Bash
ISC2 Systems Security Certified Practitioner (SSCP)
Incident Response and Recovery
Your Score:
Report Issue
Bash, the Crucial Exams Chat Bot
AI Bot
Loading...
Loading...
Loading...
Pass with Confidence.
IT & Cybersecurity Package
You have hit the limits of our free tier, become a Premium Member today for unlimited access.
Military, Healthcare worker, Gov. employee or Teacher? See if you qualify for a Community Discount.
Monthly
$19.99 $11.99
$11.99/mo
Billed monthly, Cancel any time.
$19.99 after promotion ends
3 Month Pass
$44.99 $26.99
$8.99/mo
One time purchase of $26.99, Does not auto-renew.
$44.99 after promotion ends
Save $18!
MOST POPULAR
Annual Pass
$119.99 $71.99
$5.99/mo
One time purchase of $71.99, Does not auto-renew.
$119.99 after promotion ends
Save $48!
BEST DEAL
Lifetime Pass
$189.99 $113.99
One time purchase, Good for life.
Save $76!
What You Get
All IT & Cybersecurity Package plans include the following perks and exams .