This walkthrough illustrates how Business Continuity Services and the RPAS Rollback & Recovery Service respond to a ransomware incident — from detection through full ICT estate recovery from Git, with governed content continuation.
| Field | Value |
|---|---|
| Client | Contoso Health — Enterprise Healthcare tenant |
| Classification | Government/Healthcare — GDPR, HIPAA, ISO 27001 |
| Service tier | Premium (geo-redundant, RTO ≤ 4 h, RPO ≤ 1 h) |
| Last certified baseline | CSR-42 (RPAS v2.3.0) |
| Primary region | Azure East US |
| Recovery region | Azure West US 2 |
| Source of truth | Git repository (this framework) |
Before the attack, Contoso Health operates at Stage 4 continuity maturity:
contoso-health-prod| Signal source | Detection | Time |
|---|---|---|
| Cloud App Security / Defender for Cloud Apps | Ransomware activity policy — mass file rename/encrypt pattern | T+3 min |
| Microsoft Sentinel | Anomaly correlation — bulk delete + encryption extension pattern | T+5 min |
| Continuous compliance monitoring | Security drift — unexpected privileged access on VM | T+8 min |
| Real-time violations dashboard | Critical violation raised; multi-channel alert (Teams, SMS) | T+5 min |
Classification: Critical — Security drift + Application drift (Shadow IT/ransomware pattern)
Per RPAS G1 — Authority Boundary, automated systems detect and advise; humans decide; orchestration executes:
An AMD amendment record is opened: AMD-2026-06-17-0001 (Security Incident — Ransomware Containment)
The RPAS drift engine classifies the incident:
| Drift type | Finding |
|---|---|
| Security drift | Encrypted files, compromised endpoint, lateral movement attempt |
| Configuration drift | VM and M365 state no longer match CSR-42 baseline |
| Governance drift | Live estate diverges from Git-defined golden state |
| Observability drift | Elevated alert volume — expected during incident |
# Generate governance drift report against committed baseline
./governance/rpas/scripts/New-RpasDriftReport.ps1
# Validate current checksum integrity
npm run governance:validate
The incident response team selects full state recovery rather than incremental repair:
RPAS principle (RPAS-OPM): Rollback is not failure — rollback is governance working correctly.
The RPAS Rollback & Recovery Service restores the cryptographically verified CSR baseline:
# Restore repository to last SAFE-certified CSR promotion commit
./governance/rpas/scripts/Restore-RpasBaseline.ps1 -CsrId CSR-42
This script:
SAFE (RPAS): Promoted baseline to CSR-42governance/rpas/governance_checksum.jsonBefore any redeployment, all Atomic Execution & Validation gates must pass:
npm run governance:register
npm run governance:validate
| Gate | Check | Result |
|---|---|---|
| Gate 1 | Required RPAS files present | Pass |
| Gate 2 | Project binding valid | Pass |
| Gate 3 | ADPA / ARM / AEV artifacts intact | Pass |
| Gate 4 | Governance checksum integrity | Pass |
| Gate 5 | Proof-of-life deployment scenario | Pending → run in recovery region |
An ADPA decision record captures:
<hash>governance/rpas/templates/aev-metadata.template.jsonBecause Contoso Health codifies infrastructure in Git (Stage 3 maturity), recovery is reproducible deployment to a clean region — not manual rebuild.
sequenceDiagram
participant IR as Incident Response
participant Git as Git Repository CSR-42
participant RPAS as RPAS AEV Gates
participant Azure as Azure West US 2
participant RSV as Recovery Services Vault
participant M365 as Microsoft 365
IR->>Git: Restore-RpasBaseline.ps1 CSR-42
IR->>RPAS: npm run governance:validate
RPAS-->>IR: All gates pass
IR->>Azure: Deploy multi-tenant-infrastructure.bicep
IR->>Azure: Apply Azure Policy definitions from repo
IR->>M365: Apply M365DSC configuration from repo
IR->>RSV: Restore VM and database backups pre-attack
IR->>M365: Restore SharePoint/OneDrive from backup
IR->>RPAS: Drift detection + telemetry validation
RPAS-->>IR: Baseline match confirmed
| Step | Action | Command / artifact |
|---|---|---|
| 1 | Deploy clean tenant infrastructure to recovery region | blueprint-templates/infrastructure-blueprints/multi-tenant-infrastructure.bicep |
| 2 | Apply governance policies | Azure-IaC-Governance/, Azure Policy from repo |
| 3 | Restore M365 tenant configuration | M365DSC config from Git (integration guide) |
| 4 | Restore VM and database content | Recovery Services Vault — point-in-time restore (pre-encryption snapshot) |
| 5 | Restore SharePoint / OneDrive | M365 backup / versioning — last clean backup within RPO window |
| 6 | Redeploy application platform | ict-governance-framework/ via CI/CD pipeline |
| 7 | Reapply tenant config | ict-governance-framework/config/sample-tenant-config.json pattern |
If the recovery target were AWS or GCP instead of a secondary Azure region, the same Git repository applies — only the IaC target modules change. ADPA baselines remain the authority; cloud-specific templates deploy the equivalent governed estate.
# Confirm no governance drift against restored baseline
./governance/rpas/scripts/New-RpasDriftReport.ps1
# Confirm architectural topology matches manifest
./governance/rpas/scripts/Test-RpasDependencyDrift.ps1
# Continuous compliance scan
./azure-automation/Continuous-Compliance-Monitoring.ps1
| Validation | Expected outcome |
|---|---|
| Governance checksum | Matches CSR-42 committed hash |
| Azure Policy compliance | ≥ 95% compliant within 30 min |
| M365DSC scan | Tenant config matches Git definition |
| Content integrity | Restored files pass malware scan; no encryption extensions |
| Telemetry | Critical violations cleared; normal baseline resumed |
| Secure score | Within ±5 points of pre-incident baseline |
Once validated:
RTO achieved: ~3.5 hours (target ≤ 4 hours)
RPO achieved: 45 minutes (last clean backup; target ≤ 1 hour)
AMD-2026-06-17-0001 updated with recovery evidence and timestamps| Deliverable | Description |
|---|---|
| Recovery attestation | RPAS AEV gate results proving governed recovery |
| Lineage report | Git commit hash, CSR-42 reference, AMD record chain |
| Compliance evidence | Pre/post secure score, policy compliance, M365DSC scan |
| Timeline report | Detection → containment → rollback → restore → validation |
| Updated baseline | Optional CSR-43 with hardening controls codified in Git |
| Ad-hoc recovery | RPAS Rollback & Recovery Service |
|---|---|
| Restore “latest backup” — may include compromised state | Restore last CSR-certified known-good baseline |
| Manual rebuild — inconsistent configuration | Git-to-cloud redeploy — identical governed estate |
| No audit trail | Append-only AMD/ADPA evidence for regulators |
| Hope configuration is correct | AEV gates prove integrity before go-live |
| Single-region dependency | Multi-cloud / multi-region recovery from same repo |
| Recovery completes but compliance unknown | Telemetry validates ongoing compliance post-recovery |
Document type: Implementation example
Scenario version: 1.0
Aligned baseline: CSR-42 / RPAS v2.3.0