How should a DLP administrator change a policy so that it retains the original file when an endpoint incident has detected a copy to USB device operation?

• A. Add a Limit Incident Data Retention response rule with Retain Original Message option selected.
• B. Add a Retain All Data response rule.
• C. Change the USB device policy to automatically quarantine.
• D. Disable incident data retention.

Answer: (A)

This question tests how DLP handles preserving evidence when an endpoint incident shows a copy to a USB device. To ensure the exact file stays available for investigation, you configure a Limit Incident Data Retention policy and choose to Retain Original Message. This setting tells the system to preserve the original file content that triggered the incident, rather than just storing a summary or additional related data. Keeping the original artifact is crucial for forensic review and confirms precisely what was copied.

Other options don’t target preserving the original file itself: Retain All Data would keep more data than necessary and may include extraneous information; automatically quarantining changes the device’s handling of the file but doesn’t ensure the original content is retained in the incident store; disabling incident data retention would prevent preserving any evidence.