Function: Recover (RC)
Category: Recovery Planning (RP)
“Recovery processes and procedures are executed and maintained to ensure timely restoration of systems or assets affected by cybersecurity events.”
RC.RP-1: Recovery plan is executed during or after an event
Recovery is executing information system contingency plans activates to restore organization mission/business functions. It should reflect mission and business priorities and recovery point/time and reconstitution objectives. The capabilities employed may include both automated mechanisms and manual procedures.
Audit Considerations
Auditors may examine the organization’s incident handling reports and testing documentation for action items and lessons learned. They may look if real-world incidents, testing, and post-incident reporting have been used to update the incident response procedures, training, and testing.
Applicable CIS Critical Controls
CIS Control 10 – Data Recovery Capability
Attackers may make significant changes to configuration and software. They may also make subtle alterations of data stored on compromised machines, potentially jeopardizing organizational effectiveness with polluted data. Being able to recover to a trustworthy state is critical. Having the processes and mechanisms in place to restore systems and testing those mechanisms regularly are important aspects of recovery capabilities.