CompTIA CS0-003 - CompTIA CyberSecurity Analyst CySA+ Certification Exam

The incident response policy or plan is a document that defines the roles and responsibilities, procedures and processes, communication and escalation protocols, and reporting and documentation requirements for handling security incidents. The lead should review what is documented in the incident response policy or plan to determine who should be communicated with and when during a security incident, as well as what information should be shared and how. The incident response policy or plan should also be aligned with the organizational policies and legal obligations regarding incident notification and disclosure.

ISO 27001 is an international standard that establishes a framework for implementing, maintaining, and improving an information security management system (ISMS). It helps organizations demonstrate their commitment to protecting their data and complying with various regulations and best practices. The other options are not relevant for this purpose: PCI DSS is a standard that focuses on protecting payment card data; COBIT is a framework that provides guidance on governance and management of enterprise IT; ITIL is a framework that provides guidance on service management and delivery.

After recovering a compromised server to its previous state, the analyst should perform forensic analysis to determine the root cause, impact, and scope of the incident, as well as to identify any indicators of compromise, evidence, or artifacts that can be used for further investigation or prosecution. References: CompTIA CySA+ Study Guide: Exam CS0-003, 3rd Edition, Chapter 6, page 244; CompTIA CySA+ CS0-003 Certification Study Guide, Chapter 6, page 253.

The correct answer is Business Continuity Plan (BCP) because the question specifically asks for the document that ensures services remain available (operational) during or in the event of an incident.

Business Continuity Plan (BCP): This is the overarching plan focused on keeping the business running. It identifies mission-critical functions and outlines the procedures (such as failover to a hot site, manual workarounds, or redundant systems) to ensure those services are available to customers and users despite the incident. Its primary goal is availability and continuity of operations.

Disaster Recovery Plan (DRP): This focuses on the technical restoration of IT systems after they have failed or been disrupted. While DRP supports BCP, its specific goal is "recovery" (getting systems back up) rather than "continuity" (keeping them from going down or maintaining service levels).

B. Vulnerability management plan: This is a proactive process for identifying and patching weaknesses to prevent attacks, not a reactive plan to ensure availability during an active incident.

C. Disaster recovery plan: As noted above, this is a subset of BCP focused on restoring data and infrastructure after a failure, whereas BCP focuses on maintaining the availability of the critical service itself.

D. Asset management plan: This tracks hardware and software inventory but does not define procedures for maintaining availability during a crisis.

To improve the detection of known attacks and behavioralIndicators of Compromise (IoCs), the best approach is tointegrate with an open-source threat intelligence feed. Threat intelligence feeds provide up-to-date information on known malicious IPs, domains, file hashes, and behavioral patterns that attackers use​.

Option A (randomly generating and storing hash values)is impractical, as there are an infinite number of possible files.

Option B (alerting on any system change)would lead to excessive noise and false positives, making the system difficult to manage.

Option D (manually adding signatures)is useful but is not scalable or as timely as an external intelligence feed​.

Thus, the correct answer isC, as integrating an open-source threat intelligence feed enhances the SIEM’s ability to detect and respond to real-world threats​.

The threat was detected from the time the emails were sent at 8:30 a.m. to when the recipients started alerting the organization’s help desk about the email at 8:45 a.m., taking a total of 15 minutes. The detection time is the time elapsed between the occurrence of an incident and its discovery by the security team . The other options are either too short or too long based on the given information. References: : Detection Time : Incident Response Metrics: Mean Time to Detect and Mean Time to Respond

A security analyst’s concern is that any discovered vulnerabilities in the OS that is approaching the end-of-life date will not be remediated by the vendor, leaving the system exposed to potential attacks. The other options are not directly related to the security analyst’s role or responsibility. Verified References: CompTIA Cybersecurity Analyst (CySA+) Certification Exam Objectives, page 9, section 2.21

Vulnerability 2 should be prioritized as it is exploitable, has high exploit activity, and is exposed externally according to the SMITTEN metric. References: Vulnerability Management Metrics: 5 Metrics to Start Measuring in Your Program, Section: Vulnerability Severity.