If an organization considers taking legal action on a security incident, the information security manager should focus PRIMARILY on:
A . obtaining evidence as soon as possible.
B . preserving the integrity of the evidence.
C . disconnecting all IT equipment involved.
D . reconstructing the sequence of events.
Answer: B
Explanation:
The integrity of evidence should be kept, following the appropriate forensic techniques to obtain the evidence and a chain of custody procedure to maintain the evidence (in order to be accepted in a court of law). All other options are pan of the investigative procedure, but they are not as important as preserving the integrity of the evidence.