Depending on the seriousness of an incident IDS Security Services may coordinate the recovery of impacted IT systems or services. As a minimum, once it has been determined that a computer system has been compromised, the following steps must be undertaken:
- All related user passwords on the affected system must be changed (including all user FANs).
- A system may be wiped and rebuilt to ensure that all compromised system components are refreshed and no malicious code or entry exists on a system.
- Users reporting a security incident will be informed of the resolution or outcome of the incident response and recovery after all investigations have been completed.
IDS Security Services must provide clearance to reconnect or use a system that has been part of an incident investigation and recovery (suspected or confirmed).