Trusted Recovery For a secured system, trusted recovery is recovering securely from operation failures or system crashes. The purpose of trusted recovery is to provide assurance that after a failure or crash, the rebooted system is no less secure than it was before the failure or crash. You must address two ele- ments of the process to implement a trusted recovery solution. The first element is failure prepa- ration. In most cases, this is simply the deployment of a reliable backup solution that keeps a current backup of all data. A reliable backup solution also implies that there is a means by which data on the backup media can be restored in a protected and efficient manner. The second element is the process of system recovery. The system should be forced to reboot into a single-user non- privileged state. This means that the system should reboot so that a normal user account can be used to log in and that the system does not grant unauthorized access to users. System recovery also includes the restoration of all affected files and services active or in use on the system at the time of the failure or crash. Any missing or damaged files are restored, any changes to classifica- tion labels are corrected, and the settings on all security critical files is verified. Trusted recovery is a security mechanism discussed in the Common Criteria. The Common Criteria defines three types or hierarchical levels of trusted recovery: Manual Recovery An administrator is required to manually perform the actions necessary to implement a secured or trusted recovery after a failure or system crash. Automated Recovery The system itself is able to perform trusted recovery activities to restore a system, but only against a single failure. Automated Recovery without Undue Loss The system itself is able to perform trusted recov- ery activities to restore a system. This level of trusted recovery allows for additional steps to pro- vide verification and protection of classified objects. These additional protection mechanisms may include restoring corrupted files, rebuilding data from transaction logs, and verifying the integrity of key system and security components. What happens when a systems suffers from an uncontrolled TCB or media failure? Such fail- ures may compromise the stability and security of the environment, and the only possible response is to terminate the current environment and re-create the environment through reboo- ting. Related to trusted recovery, an emergency system restart is the feature of a security system that forces an immediate reboot once the system goes down. Configuration and Change Management Control Once a system has been properly secured, it is important to keep that security intact. Change in a secure environment can introduce loopholes, overlaps, missing objects, and oversights that can lead to new vulnerabilities. The only way to maintain security in the face of change is to sys- tematically manage change. Typically, this involves extensive logging, auditing, and monitoring of activities related to security controls and mechanisms. The resulting data is then used to iden- tify agents of change, whether objects, subjects, programs, communication pathways, or even the network itself. The means to provide this function is to deploy configuration management control or change management control. These mechanisms ensure that any alterations or