cc7-5 High priority Security / System Operations

Incidents are recovered from and resumption of operations is documented

Getting through an incident is only half the work. The other half is returning to normal operations reliably and documenting what happened. This criterion covers the recovery phase: restoring systems from known-good state, verifying that threats have been fully eradicated, communicating with affected parties, and capturing lessons learned to improve future responses.

10h estimated effort

incident-response recovery post-incident lessons-learned

Complete first: cc7-4

Implementation steps

1

Define recovery procedures for system restoration

For each critical system, document the steps to restore it to a known-good state following an incident: how to identify clean backups, how to validate restored data integrity, how to verify that the threat has been eradicated before bringing systems back online. Recovery procedures should be documented before an incident occurs.

confluence notion aws-backup google-cloud-backup
2

Test recovery procedures through drills

Recovery procedures that have never been tested are likely to fail when needed most. Conduct at least annual recovery drills: restore a system from backup, verify data integrity, confirm the system is clean. Document the drill results including recovery time and any gaps discovered.

confluence notion
3

Conduct post-incident reviews and communicate with affected parties

After recovery, document what happened in a post-incident report: timeline, root cause, impact, response actions, and lessons learned. If customer data was involved, follow your breach notification obligations. Communicate transparently with affected customers per your contractual commitments and applicable regulations. Use the review to drive concrete improvements.

confluence notion jira linear