A disgruntled employee has left your company and deleted all their email messages and files in Google Drive. The security team is aware that some intellectual property may have surfaced on a public social media site. What is the first step to start an investigation into this leak?
The first step in starting an investigation into the potential leak is to preserve all relevant data to prevent any further deletion or modification. Instructing a Google Vault admin to create a matter and place all the user data on hold ensures that the data is retained and safeguarded, allowing a thorough investigation to be conducted. This process is crucial as it maintains the integrity of the data, which is necessary for analyzing the potential leak of intellectual property.
If it was me, I would just search for the users data then share it with the security team. If there is not any retention policy applied then yes a Hold but most companies have Vault retention to indefinite so there is no need to use a Hold but for this question (bad elaborated) then yes, the correct answer is C, because there is no mention of what retention policies they are using. https://support.google.com/vault/answer/7664657?hl=en#zippy=%2Cwhats-the-difference-between-a-hold-and-a-retention-rule
correct answer - C
The first step to start an investigation into the potential intellectual property leak is: C. Instruct a Google Vault admin to create a matter and place all the user data on 'hold.' By creating a matter in Google Vault and placing the user's data on hold, you ensure that any relevant information related to the disgruntled employee's actions is preserved and cannot be modified or deleted. This allows the security team to analyze the data and investigate the potential leak.
Agree with C
First proper step is to create the investigation. If the question was "There's an emergency and need to check information right away" could be D. But as a first adecuate, secure, and auditable step. Must create the hold first.
C. Instruct a Google Vault admin to create a matter, and place all the user data on ‘hold.’
As a "first step to start an investigation into this leak" it sounds like creating a matter and placing ALL the user data on hold would be correct.