NIST Cybersecurity Framework: Recover Security Controls
Restore assets and operations that were impacted by a cybersecurity incident.
Incident Recovery Communication
Recovery activities and progress in restoring operational capabilities are communicated to designated internal and external stakeholders
During recovery, silence from the security team is a communications failure. Stakeholders who do not...
Public updates on the incident and ongoing recovery are shared using approved methods and messaging
Public communication about a security incident is high-stakes: every word is scrutinized by customer...
Incident Recovery Plan Execution
Execute the recovery plan once the incident response process initiates recovery
When incident response reaches the point where containment is achieved and recovery can begin, the d...
Select, scope, prioritize, and perform recovery actions
Not all systems can be restored at once, and attempting to do so without a clear priority order wast...
Verify the integrity of backups and restoration assets before use
Restoring from a corrupted or compromised backup is one of the worst outcomes during incident recove...
Re-establish critical mission functions and cybersecurity services
During an incident, critical business functions and security controls may be taken offline as part o...
The integrity of restored assets is verified, the asset is deemed secure, and normal operating status is confirmed
Returning a system to production after an incident is not simply a matter of turning it back on. Sys...
The end of incident recovery is declared based on criteria, and incident-related documentation is completed
Incidents need a clear end, not just a quiet fade. Without a formal close, teams remain in incident ...