The Recovery phase in incident response focuses on restoring systems to normal operations and strengthening defenses:
Patching and configuring systems to meet secure standards (B) is a typical recovery activity to prevent recurrence.
Updating security policies (A) is usually part of the Post-Incident Activities or Governance.
Root cause analysis (C) is typically part of the Investigation or Analysis phase.
Forensic imaging (D) is part of the Containment and Eradication phases for evidence preservation.
GICSP aligns recovery activities with system hardening and return to normal operations.
[Reference:, , GICSP Official Study Guide, Domain: ICS Security Operations & Incident Response, , NIST SP 800-61 Rev 2 (Incident Handling Guide), , GICSP Training on Incident Response Lifecycle]
Submit