How should you respond to a suspected data manipulation event under CBM T6?

When something looks like data manipulation, the priority is to protect data integrity and enable a proper, documented response. The best approach is to preserve evidence, secure the data, and halt the affected processes to prevent further tampering. Then bring in the right oversight by notifying QA or regulatory owners so the event is formally tracked, followed by a thorough investigation to determine what happened, the scope, and the impact. Finally, implement corrective actions to address root causes and strengthen controls to prevent recurrence. This sequence preserves the chain of custody for evidence, involves the appropriate authorities, and moves from containment to remediation rather than concealing or ignoring the issue.