Re-establish critical mission functions and cybersecurity services
During an incident, critical business functions and security controls may be taken offline as part of containment, or they may have been disrupted by the attacker. Getting these back online is not just about restoring productivity: it is also about restoring your ability to detect and respond to further threats. If your SIEM, EDR, or firewall is still down when you start restoring user systems, you are operating blind. This control ensures the most essential functions come back online before lower-priority services, including re-establishing the security monitoring capabilities that protect the recovering environment.
Implementation steps
- 1
Restore core cybersecurity services before restoring end-user systems
Prioritize the restoration of security infrastructure: firewalls, EDR agents, SIEM ingestion, identity providers, and MFA services. These controls protect every other system you restore. Bringing them back first means you will have visibility and enforcement in place as the rest of the environment comes back online.
crowdstrikesentinel-onesplunkmicrosoft-sentinelokta - 2
Restore critical business functions according to the recovery priority list
Following the prioritized sequence established in rc-rp-2, restore business-critical systems such as payment processing, authentication services, customer-facing applications, and data pipelines. Follow the verified runbooks and use only the clean backups confirmed in rc-rp-3.
veeamaws-backupazure-backupterraformansible - 3
Validate that restored services are functional and security controls are active
Run smoke tests and functional checks on each restored service before declaring it available. Confirm that EDR agents are reporting, firewall rules are active, and log forwarding is operational. Do not open services to users until both functionality and security monitoring are confirmed.
crowdstrikesplunkdatadogpingdompagerduty
Evidence required
Security services restoration log
A record showing that cybersecurity services such as EDR, SIEM, and identity services were restored before end-user systems.
- · Incident ticket showing sequence of restoration with security tools restored first
- · EDR console showing agents back online with timestamps
- · SIEM ingestion health dashboard screenshot post-recovery
Critical function restoration records
Documentation showing that each critical business function was restored per the prioritized recovery plan.
- · Change records in ServiceNow for each system restoration
- · Recovery task log with completion timestamps per system
- · Application health check results post-restoration
Smoke test and security validation results
Evidence that functional checks and security control validation were run before users were allowed back onto restored systems.
- · Test results document from functional smoke tests
- · Checklist showing firewall rules, EDR enrollment, and log forwarding confirmed
- · Monitoring alert confirming normal telemetry from restored systems
Related controls
Select, scope, prioritize, and perform recovery actions
Incident Recovery Plan Execution
Execute the recovery plan once the incident response process initiates recovery
Incident Recovery Plan Execution
The integrity of restored assets is verified, the asset is deemed secure, and normal operating status is confirmed
Incident Recovery Plan Execution
Verify the integrity of backups and restoration assets before use
Incident Recovery Plan Execution