The entity identifies, develops, and implements activities to recover from identified security incidents
The activities restore the affected environment to functional operation by rebuilding systems, updating software, installing patches, and changing configurations, as needed
Communications about the nature of the incident, recovery actions taken, and activities required for the prevention of future security events are made to management and others as appropriate (internal and external)
The root cause of the event is determined
Additional architecture or changes to preventive and detective controls, or both, are implemented to prevent and detect recurrences on a timely basis
Lessons learned are analyzed, and the incident response plan and recovery procedures are improved
Incident recovery plan testing is performed on a periodic basis. The testing includes (1) development of testing scenarios based on threat likelihood and magnitude; (2) consideration of relevant system components from across the entity that can impair availability; (3) scenarios that consider the potential for the lack of availability of key personnel; and (4) revision of continuity plans and systems based on test results..
- BCD-01 - Business Continuity Management System (BCMS)
- BCD-02 - Identify Critical Assets
- BCD-02.1 - Resume All Missions & Business Functions
- BCD-02.2 - Continue Essential Mission & Business Functions
- BCD-02.3 - Resume Essential Missions & Business Functions
- BCD-04 - Contingency Plan Testing & Exercises
- BCD-05 - Contingency Plan Root Cause Analysis (RCA) & Lessons Learned
- BCD-06 - Contingency Planning & Updates
- BCD-11 - Data Backups
- BCD-11.1 - Testing for Reliability & Integrity
- BCD-12 - Information System Recovery & Reconstitution
- BCD-13 - Backup & Restoration Hardware Protection