ISC2 Systems Security Certified Practitioner (SSCP) Practice Question
Your company hosts its e-commerce application entirely on AWS. After a breach in which stolen long-lived IAM access keys were used to copy sensitive objects from an S3 bucket, the incident response team has completed containment, eradication, and recovery. As the practitioner moves into the post-incident activities phase, which action best aligns with industry-standard incident response guidance for lessons learned and continuous improvement?
Immediately reinstate the affected IAM user's original permissions to avoid disrupting business operations.
Purge all evidence related to the breach and disable Amazon CloudTrail to minimize future log-storage costs.
Document the full incident timeline, identify root causes and control gaps, and update incident response runbooks before formally closing the case.
Disable S3 versioning on the bucket to reduce storage costs associated with multiple object copies.
Post-incident guidance from NIST SP 800-61 and ISO/IEC 27035 emphasizes conducting a lessons-learned analysis, producing a detailed report, and updating policies, procedures, and playbooks so that weaknesses uncovered during the incident are addressed before future events occur. Capturing the incident timeline, root cause, and control gaps-and sharing the findings with stakeholders-facilitates organizational learning and strengthens security posture. Simply rotating keys or changing service configurations may be appropriate containment or remediation tasks, but without documenting findings and updating processes, the organization misses the primary objective of the post-incident phase. Purging evidence or disabling logging violates both forensic and compliance requirements, while restoring compromised privileges without analysis can re-introduce risk.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is NIST SP 800-61?
Open an interactive chat with Bash
What is ISO/IEC 27035?
Open an interactive chat with Bash
Why is documenting the incident timeline important after a breach?
Open an interactive chat with Bash
ISC2 Systems Security Certified Practitioner (SSCP)
Incident Response and Recovery
Your Score:
Report Issue
Bash, the Crucial Exams Chat Bot
AI Bot
Loading...
Loading...
Loading...
Pass with Confidence.
IT & Cybersecurity Package
You have hit the limits of our free tier, become a Premium Member today for unlimited access.
Military, Healthcare worker, Gov. employee or Teacher? See if you qualify for a Community Discount.
Monthly
$19.99 $11.99
$11.99/mo
Billed monthly, Cancel any time.
$19.99 after promotion ends
3 Month Pass
$44.99 $26.99
$8.99/mo
One time purchase of $26.99, Does not auto-renew.
$44.99 after promotion ends
Save $18!
MOST POPULAR
Annual Pass
$119.99 $71.99
$5.99/mo
One time purchase of $71.99, Does not auto-renew.
$119.99 after promotion ends
Save $48!
BEST DEAL
Lifetime Pass
$189.99 $113.99
One time purchase, Good for life.
Save $76!
What You Get
All IT & Cybersecurity Package plans include the following perks and exams .