Chapter 25. Recovery

Incident recovery is the process of bringing the system back to a known good state, removing any damage caused by the incident, and restoring the availability and accuracy of the information. Recovering a compromised system is required to return it to normal operations. Recovery should occur after the incident is contained and there is some idea of its scope. However, it may be a business necessity to return the system to operation before the incident is fully contained. This risk needs to be carefully managed so that the system can be successfully restored. Restoring systems at the same time as containing the incident requires a great deal of coordination so that efforts do not interfere. You must be able to determine how long the security incident has existed before you can determine what may have been compromised and what has to be restored. If a security incident has been going on undetected for some time, it is often difficult to pinpoint an exact start date. It is generally best to err on the side of caution and select a date that is clearly prior to the start of the incident so you can be assured that the information recovered from that date is not compromised.