[&] Why is the NIST incident response framework considered more popular?
- It was introduced by a reputable national institute -- Correct
- It focuses heavily on the containment phase
- It provides a more granular approach to incident handling
- It includes additional phases not found in SANS

[&] What is the similarity between the SANS and NIST incident response processes?
- Both have identical phases with no differences
- Both prioritize eradication over detection
- They both conclude with the lessons learned phase -- Correct
- They do not include preparation as an essential phase

[&] Which phase is not one of the six phases in the SANS incident response process?
- Preparation
- Eradication
- Documentation -- Correct
- Identification

[&] How does the NIST incident response framework differ from SANS in terms of phases?
- NIST separates containment and eradication
- NIST has fewer phases because some are combined -- Correct
- NIST requires more phases for process compliance
- NIST focuses more on eradication than recovery

[&] Why might an organization choose the SANS process over NIST?
- It provides a more detailed operational breakdown -- Correct
- It is more formalized for enterprise-level governance
- It eliminates the need for an identification phase
- It offers more flexibility for policy alignment