### Step 5: Recovery

The goal of recovery is to bring all systems back to full operation, after verifying they are clean and the threat is removed.

The SANS recovery procedure involves:

-   **Defining time and date to restore operations**—system owners should make the final decision on when to restore services, based on information from the CSIRT.
-   **Test and verifying**—ensuring systems are clean and fully functional as they go live.
-   **Monitoring**—ongoing monitoring for some time after the incident to observe operations and check for abnormal behaviors.
-   **Do everything to prevent another incident**—considering what can be done on the restored systems to protect them from recurrence of the same incident.