Recovery

Review of events
• analyse logs, establish and document timelines in concert with other ISPs
• identify and document access violations
• document any traceback of intruders, send to other involved ISPs
• identify, fix and document security weaknesses and physical failures
• followup with appropriate authorities
• communicate relevant details of system compromise throughout the organization

  Review of Procedures

• Review of Policy: does the policy cover the event?
• Review of Implementation: was the implementation of policy correct?

  Redraft and repeat till done ...