1. the reestablishment of the pre-incident status of allorganizational systems.
2. when an individual, an application, or anotherprogram, through access to the operating system's application programminginterface (API), attempts to and/or gains access to an information assetwithout explicit permission or authorization to do so
3. the process by which the CSIRT acts to limit thescale and scope of an incident as it begins to regain control over theorganization's information assets.