Does your organization scan restored assets for indicators of compromise and verify remediation of root causes before returning them to production use?
Explanation
After a security incident, restored systems or data may still contain hidden malware, backdoors, or vulnerabilities that caused the original compromise.
This question assesses whether your organization performs security validation before reintroducing recovered assets into the production environment, which helps prevent reinfection and recurrence of the same incident.
For example, after restoring a server from backup following a ransomware attack, you should scan it for persistent malware and verify that the vulnerability that allowed initial access has been patched.
Evidence of fulfillment could include documented incident recovery procedures that specify post-restoration security checks, logs from vulnerability scanners or endpoint detection tools showing clean scans of restored assets, or change management records showing remediation actions taken before production deployment.
Implementation Example
Check restored assets for indicators of compromise and remediation of root causes of the incident before production use
ID: RC.RP-05.354
Context
- Function
- RC: RECOVER
- Category
- RC.RP: Incident Recovery Plan Execution
- Sub-Category
- The integrity of restored assets is verified, systems and services are restored, and normal operating status is confirmed
Related questions
- Has your organization established documented procedures to initiate recovery processes during or immediately following security incident response?
- Have all personnel with recovery responsibilities been formally trained on the recovery plans and their specific authorization levels?
- Has your organization defined criteria for selecting recovery actions during incident response, and are these criteria followed when responding to security incidents?
- Does your organization have a process to reassess and update recovery plans based on changes in organizational needs and available resources?
- Does your organization verify restoration assets for integrity issues and indicators of compromise before using them in recovery operations?
- Does your organization use business impact assessments and system categorization records to prioritize the restoration of essential services during recovery operations?

