YouTube
shieldCISSP Practice Domain 7 — Security Operations Q109 of 120

Which is the FIRST action upon discovering a confirmed ongoing intrusion in a production environment?

A CISSP practice question covering Domain 7: Security Operations. Try answering before reading the explanation below.

Show options & answer
A
Reformat all systems immediately
B
Containment per the IR playbook (isolate affected systems, preserve evidence)
✓ Correct answer
C
Notify the press
D
Disable all logging
Why "Containment per the IR playbook (isolate affected systems, preserve evidence)" is the right answer

Containment limits damage spread without destroying evidence. Reformatting destroys forensic data prematurely. Press notifications follow legal counsel review. Disabling logging is exactly wrong — preserve everything.

Study videos for this topic

Want to go deeper on Domain 7? Watch the full breakdown — every video is free, no account, no upsell.

CISSP Domain 7: Digital Forensics & Chain of Custody
Domain 7 — Security Operations
CISSP Domain 7: SIEM, IDS/IPS, Honeypots & UEBA
Domain 7 — Security Operations
CISSP Domain 7: Least Privilege, SoD & Resource Protection
Domain 7 — Security Operations
Take the full CISSP practice test
120 questions, instant explanations, study-video links on every miss. No account.
Start full test →

Other practice tests

All practice tests CISSP videos Glossary