A. Inform the Media
Public relations and media notification are part of the Post-Incident or Reporting phases.

The Danger of Early Disclosure: If you inform the media before the incident is contained, you may inadvertently tip off the attacker, causing them to accelerate their data exfiltration or destroy evidence (anti-forensics) before you can stop them.

Accuracy Matters: Management and legal teams need a clear picture of what happened before making public statements to avoid "correcting the record" later, which damages organizational credibility.

B. Conduct Root Cause Analysis (RCA)
Root cause analysis is a deep-dive investigation aimed at identifying the fundamental reason why the breach occurred.

Timing: This is a Post-Incident activity. While you might gather some clues during the initial response, a formal RCA is a slow, methodical process.

Prioritization: You cannot spend hours or days analyzing how a "hacker got in" while they are still actively moving through your servers. Investigation follows preservation, and preservation follows containment.

C. Contain the Incident
Containment is the highest priority once an incident has been verified. The goal is to limit the "blast radius" and prevent the situation from getting worse.

Tactical Actions: This includes disconnecting a compromised workstation from the network, disabling a compromised user account, or failing over to a clean environment.

The "First Step" Logic: In the CISSP mindset, security is about protecting the CIA Triad (Confidentiality, Integrity, and Availability). Containment is the most direct way to protect these three pillars in the heat of a crisis. By isolating the threat, you buy the security team time to investigate without further data loss.

D. Inform Affected Clients
Notification is a legal requirement under frameworks like GDPR, CCPA, or HIPAA, but it is never the first step.

Legal Requirements: Most laws require notification "without undue delay," but they also allow time for the organization to take the necessary measures to determine the scope of the breach and restore the integrity of the system.

Verification: You cannot tell clients what was stolen until you have successfully stopped the theft and analyzed the logs. Premature notification can lead to unnecessary panic if it turns out no sensitive data was actually accessed.

Key Takeaway for the CISSP Exam
The Golden Rule of IR: Always follow the standard phases: Preparation → Detection → Containment → Eradication → Recovery → Lessons Learned. Containment is the bridge between realizing you have a problem and actually fixing it.