Recovery

Clearly, the main purpose of the recovery step is to restore all systems to normal operation. In a malicious code outbreak, recovering the functionality and data of infected systems may have already been carried as part of the eradication process. Apart from restoring the infected systems, removing any temporary containment measures, such suspended network connections, is another main aspect of the recovery process.

Prior to removal of the containment measures, one important step is a pre-production security risk assessment to ensure that no infection is detected, and that the cause of the original infection is rectified.

All related parties should be notified before the resumption of suspended services. IT personnel should restore specific functions and servers stage by stage, in a controlled manner, and in the order of demand, e.g. the most essential services or those serving the majority should resume first. After resuming the suspended services, it is important to verify that the restoration operation has been successful and that all services are back to normal operation. Additional monitoring measures may be implemented to watch for any suspicious activity in the network segments concerned.