Does your organization verify restoration assets for integrity issues and indicators of compromise before using them in recovery operations?
Explanation
Trustworthy recovery sources are what's being examined, namely whether you verify restoration assets for integrity issues and indicators of compromise before relying on them in recovery. These checks should include scanning for malware, verifying file integrity through checksums or hashes, and confirming the absence of unauthorized modifications that could reintroduce compromises into restored systems.
Evidence could include documented restoration procedures that specify integrity verification steps, logs from integrity verification tools showing pre-restoration checks, or screenshots of security scanning results performed on restoration assets prior to deployment.
Implementation Example
Check restoration assets for indicators of compromise, file corruption, and other integrity issues before use
ID: RC.RP-03.350
Context
- Function
- RC: RECOVER
- Category
- RC.RP: Incident Recovery Plan Execution
- Sub-Category
- The integrity of backups and other restoration assets is verified before using them for restoration
Related questions
- Has your organization established documented procedures to initiate recovery processes during or immediately following security incident response?
- Have all personnel with recovery responsibilities been formally trained on the recovery plans and their specific authorization levels?
- Has your organization defined criteria for selecting recovery actions during incident response, and are these criteria followed when responding to security incidents?
- Does your organization have a process to reassess and update recovery plans based on changes in organizational needs and available resources?
- Does your organization use business impact assessments and system categorization records to prioritize the restoration of essential services during recovery operations?
- Does your organization have a documented process for verifying successful system restoration and confirming the return to normal operations after an incident or outage?

