If you've already restored the system, what damage is there to control? Well, the aftermath, primarily. You need to follow through on any untoward consequences of the break-in. For instance, was proprietary information copied? If so, you need to notify your legal counsel and consider what to do.
You should determine which of the following concerns need to be addressed:
Do you need to file a formal report with law enforcement?
Do you need to file a formal report with a regulatory agency?
Do you need to file an insurance claim for downtime, use of hot spares, etc?
Do you need to institute disciplinary or dismissal actions against one or more employees?
Do you need to file a report/request with your vendor?
Do you need to update your disaster recovery plan to account for changes or experiences in this instance?
Do you need to investigate and fix the software or configuration of any other systems under your control, or at any affiliated sites? That is, has this incident exposed a vulnerability elsewhere in your organization?
Do you need to update employee training to forestall any future incidents of this type?
Do you need to have your public relations office issue a formal report (inside or outside) about this incident?
The answers to the above questions will vary from situation to situation and incident to incident. We'll cover a few of them in more detail in succeeding chapters.