Containment in incident handling involves limiting the damage caused by an incident and preventing its spread.
Re-imaging a compromised workstation (C) is a direct containment action to remove malicious software and restore system integrity.
(A) Patch verification and (D) validation scans are part of recovery or prevention phases.
(B) Creating forensic images is an evidence preservation task, not containment.
The GICSP incident handling process emphasizes containment as an immediate action to stabilize the environment before eradication and recovery.
[Reference:, , GICSP Official Study Guide, Domain: ICS Security Operations & Incident Response, , NIST SP 800-61 Rev 2 (Computer Security Incident Handling Guide), , GICSP Training on Incident Handling Lifecycle, ]
Submit