Exam SY0-701 topic 1 question 78 discussion

A. Preparation The preparation phase in the incident response process is when a security analyst reviews roles and responsibilities. This phase involves planning and setting up the necessary tools, processes, and team structures to effectively respond to potential security incidents. Therefore, the correct answer is: A. Preparation

In the incident response process, a security analyst reviews roles and responsibilities during the "Preparation" phase; this is where the incident response plan is established, outlining who is responsible for what tasks during a security incident, ensuring everyone understands their role and how to respond effectively.

From CompTIA guide Preparation—makes the system resilient to attack in the first place. This includes hardening systems, writing policies and procedures, and setting up confidential lines of communication. It also implies creating incident response resources and procedures Lessons learned—analyzes the incident and responses to identify whether procedures or systems could be improved. It is imperative to document the incident. Outputs from this phase feed back into a new preparation phase in the cycle Also... The lessons learned process reviews severe security incidents to determine their root cause, whether they were avoidable, and how to avoid them in the future. So, the world REVIEW is in the LESSON LEARN.

A. Preparation

The Preparation phase is the initial step in the incident response process where an organization establishes the foundation for handling potential incidents. It involves planning, setting up necessary tools, and defining roles and responsibilities.

The correct phase for reviewing and defining roles and responsibilities in the incident response process is the preparation phase. Lessons Learned is more about reviewing the entire incident after it has been resolved, identifying what went well and what didn't and making improvements for future responses.

This is a tough one! "The Preparation phase includes not only the initial establishment of roles and responsibilities but also their ongoing review and maintenance". I feel like these two steps kind of can blend into each other...review/lessons learned of one incident, can be preparation for the next incident.

Roles and responsibilities should be regularly reviewed, not just after an event. This enables good preparation. Events are reviewed retrospectively, that's when lessons are learned.

C. Review seems to be the key word here.

Given the options, the phase in the incident response process when a security analyst reviews roles and responsibilities is the Lessons learned phase. During this phase, the team reflects on their performance, identifies gaps, and ensures that roles and responsibilities are well-defined and understood for future incidents. The keyword in this question is "reviews". In the Lessons Learned step we review the roles to see if anything needs to be changed, in the preparation step we are just creating the roles, nothing to review yet.