Okay. Now we're going to be taking a look at certification and validation of business continuity. This is really just making sure that you have somewhat of a formal process for validating that things are back to normal and things are operating as they should. It's not just something that you're just checking off a list. When you look at the definition of business continuity, it's really about making sure that the business can continue to operate throughout disasters, events, or incidents. One of your goals should be as an incident response team, is to help maintain that continuity. In other words, just because there's a data breach, or an incident or a malware outbreak, it shouldn't cripple the company to where they can't do business. Part of your job as a good instant response practice is to support that mission. Sure enough, business continuity, risk and disaster recovery people are going to be the ones driving that, but you should be doing all you can to support that in your process of responding incidents. First thing is who decides if the organization is back to normal? Generally speaking, you will find that this is decided by policy. This policy is driven by the BCP or the disaster recovery team. They have guidance and oversight generally from upper management that's pushed down from strategy. All of this should be able to align back up to upper management, and overall corporate and security strategy. The IR team may serve as only support in the continuity effort. But you have to understand how your entire incident response process candy is bound at the hip to business continuity, and being able to keep things going. Now the BCP/ DR people may serve as support for IR and same, if that is what's going on in this particular instance. It really depends on the incident specifics as far as who's taken a lead and who's following. But generally what happens is in an incident response situation, that incident is more of a short-term thing and you have to remember that business continuity is a long-term overall strategy. It's a condition or a state that the organization wishes to be able to run in. You're coming jumping in and out of that space as you go through incidents. What the evaluation and validation, there has to be a period for how long you do that. In other words, if you're validating and trying to make sure that the organization is no longer in a compromised state, and we're back to normal. We already said earlier that there's a monitoring process and validation that has to go into that. We monitor for a certain amount of time, and then after we don't see any signs of infection or compromise, or adversely impacted operational state, then we can go ahead and certify that, you know what, things are back to normal. We're good, we don't see any signs of infection, and from that point we can move on. You do have to kind of set up a loose time frame as to what that is and what that means. Now, you want to make sure at this point you're starting to get the preparations together for follow up. This is where you're starting to pay closer attention to your documentation. Making sure that things align, you can flow per the documentation from one phase to the other where you've addressed and documented everything that happened. Everything you found because you want to be able to address this up and push it over to follow-up and lessons learned, so that we can get some real value from that perspective. Another recovery goal is to make sure infections don't recur from previous infections. This is going to be all part of that. Some holistically, recovery is mostly about closing out the incident, making sure you're completely back to operational state, no longer in a compromised state. There will be a lot of questions around this phase from other parts of your organizations. Like upper management, different departments that may have been adversely affected. They're going to have questions at this point. To ensure monitoring, you want to sort of monitoring still going into look for recurring events before moving on the follow up. Whatever your time frame is, for observation, you want to maintain that and in push right out of that into your follow up in your lessons learned. Hopefully this session has been useful for you to give you like a view into what the overall processes for doing this. I hope to see you in the next ones very soon.
