Does your organization have a documented process for verifying successful system restoration and confirming the return to normal operations after an incident or outage?
Explanation
Recovery validation is the concern here: the question is whether you have a documented process to verify successful system restoration and confirm a return to normal operations after an incident or outage. The process should include verification steps with system owners to confirm functionality, data integrity, and that business operations can resume normally.
Evidence could include a system restoration checklist, post-incident verification procedures, or restoration sign-off forms that require system owner approval before declaring an incident closed. These documents should outline specific criteria for determining when a system is considered fully operational.
Implementation Example
Work with system owners to confirm the successful restoration of systems and the return to normal operations
ID: RC.RP-04.352
Context
- Function
- RC: RECOVER
- Category
- RC.RP: Incident Recovery Plan Execution
- Sub-Category
- Critical mission functions and cybersecurity risk management are considered to establish post-incident operational norms
Related questions
- Has your organization established documented procedures to initiate recovery processes during or immediately following security incident response?
- Have all personnel with recovery responsibilities been formally trained on the recovery plans and their specific authorization levels?
- Has your organization defined criteria for selecting recovery actions during incident response, and are these criteria followed when responding to security incidents?
- Does your organization have a process to reassess and update recovery plans based on changes in organizational needs and available resources?
- Does your organization verify restoration assets for integrity issues and indicators of compromise before using them in recovery operations?
- Does your organization use business impact assessments and system categorization records to prioritize the restoration of essential services during recovery operations?

