A security alert was triggered when an end user tried to acc - CompTIA CySA+ CSO-003

Correct Answer: B. Ensure that the case details do not reflect any user-identifiable information. Password protect the evidence and restrict access to personnel related to the investigation

• Privacy and HR policies often require that user-identifiable information is kept confidential throughout an investigation, especially in cases that could involve disciplinary action. Ensuring that any data collected (logs, temporary files, etc.) does not include sensitive information about the individual (unless necessary for the investigation) protects the privacy of the employee and mitigates the risk of violating privacy regulations or internal policies.
• Password protecting the evidence and restricting access helps ensure that only authorized personnel are involved in the investigation and that the integrity and confidentiality of the evidence are maintained throughout the process. This approach respects privacy while ensuring that the investigation can proceed effectively.

Why the Other Options Are Incorrect:

Create a timeline of events detailing the date stamps, user account hostname and IP information associated with the activities

• While creating a timeline is an essential step in building the case and understanding the sequence of events, detailing user account hostnames and IP addresses could potentially expose personally identifiable information (PII). This could violate privacy regulations or HR policies if shared inappropriately or accessed by unauthorized personnel.
• It is critical to balance the need for investigative details with the protection of user privacy. This approach might violate policies if not done carefully to redact or anonymize user-identifiable information.

Create a code name for the investigation in the ticketing system so that all personnel with access will not be able to easily identify the case as an HR-related investigation

• While creating a code name might obscure the nature of the investigation from personnel who do not need to know, it doesn't address the primary concern of user privacy and compliance with HR policies. Simply obscuring the nature of the case is insufficient if user-identifiable information is still involved.
• The most important action is to ensure user privacy and limit access to the evidence to those who are directly involved in the investigation, which is more effectively addressed through option B.

Notify the SOC manager for awareness after confirmation that the activity was intentional

• Notifying the SOC manager is important for awareness, but this action alone doesn't directly address how to handle the investigation in compliance with HR or privacy policies. The key issue here is the proper handling of evidence and ensuring that any personally identifiable information is protected during the investigation process.
• Waiting until the activity is confirmed as intentional also risks delays and could lead to further complications if privacy policies are not adhered to early on in the investigation.