Develop a Recovery Plan

(Back)

Objective

Develop and implement an incident recovery plan including identifying business-critical services to enable recovery prioritization, and business continuity plans for those critical services.

Description

• As part of the organizational continuity of operations plan, develop and implement a recovery plan with defined roles and strategies for decision making including clearly identifying and documenting what is to be recovered, by whom, when, and where.

• Identify business-critical services to enable recovery prioritization, and business continuity plans for those critical services.

• Develop a recovery plan that outlines priority actions, as per Section 3.1 of the CCCS Ransomware Playbook:

  1. Determine what is infected and isolate (e.g. disconnect from network)
  2. Report to law enforcement
  3. Assemble CIRT (Cyber Incident Response Team)
  4. Change credentials
  5. Wipe & reinstall
  6. Run security software
• Monitor network traffic and run antivirus or anti-malware scans to identify if any infection remains.
• Test IT continuity management mechanisms to ensure proper state of preparedness as an integral element of practices for departmental business continuity management.
• As per CCCS Ransomware Playbook: “Paying the ransom does not guarantee access to your encrypted data or systems. Ultimately, the decision to pay the ransom is your organization’s to make, but it is important for your organization to be fully aware of the risks associated with paying the ransom.”

References

TBS

1. DSM Appendix D (D.2.2.1, D.2.2.2, D.2.2.2.4, D.2.2.3 and D.2.2.5)

CCCS

1. Ransomware Playbook (ITSM.00.099) (1.1.3, 2.2, and 2.2.1, 3.1), and
2. Developing your IT Recovery Plan

Related Security Controls (ITSG-33)

CP-2, CP-2(1), CP-2(3), CP-2(5), CP-2(8), CP-10, IR-4, IR-5, IR-5(1), IR-6