What action is taken immediately after detecting unauthorized access to sensitive data?

When unauthorized access to sensitive data is detected, the immediate action taken is incident containment. This step involves taking measures to limit the scope and impact of the security incident. The primary goal of incident containment is to prevent further unauthorized access or data loss while allowing for an investigation of the breach.

By containing the incident, organizations can effectively isolate the compromised systems, disconnect them from the network, or implement measures to block attackers from further exploiting vulnerabilities. This approach helps in preserving evidence for later analysis, which is crucial for understanding how the breach occurred and determining the steps necessary to remediate the situation.

Following containment, organizations may proceed with other steps such as compliance verification, which involves checking adherence to regulations and standards; however, these actions are not the immediate response to the detection of unauthorized access. A full system shutdown could result in significant operational disruption and may not be feasible or necessary in every incident. Surveillance implementation might also be relevant in a broader security strategy but is not a direct response to a specific incident.