When following up on a data breach, an IS auditor finds a system administrator may have compromised the chain of custody.
Which of the following should the system administrator have done FIRST to preserve the evidence?
A . Perform forensic discovery
B . Notify key stakeholders
C . Quarantine the system
D . Notify the incident response team
Answer: C