Which sequence correctly outlines the general steps of incident response relevant to inquiries?

• A. Contain, identify, recover, eradicate, and review.
• B. Identify, contain, eradicate, recover, and review.
• C. Identify, contain, eradicate, recover, and review.
• D. Identify, contain, eradicate, review, and recover.

Answer: (C)

This question tests the order of steps in incident response. The best sequence starts with identifying what happened so you know the scope and impact. Then you contain to prevent further damage while you work out a plan. After containment, you eradicate the root cause or artifacts of the incident to remove the threat from the environment. Next, you recover by restoring systems and services to normal operation. Finally, you review the incident to learn what happened, what worked, and what to improve for the future. This order makes sense because actions like containment and eradication rely on understanding the incident first, and recovery should follow containment and eradication, with a final post-incident review to close the loop. The other options either start with containment before identifying or place the review step before recovery, which would hinder restoring services.