A marathon runner would not dare show up on race day without spending many, many hours training and preparing. Neither should a Security Incident Response Team expect to run smoothly in the midst of a disaster without any preparation. Tabletop exercises are crucial to this preparation process, as they allow the team to walk through a hypothetical incident and practice their individual roles and key decisions. Follow these steps to make the most of your team’s tabletop exercise, so in the event of a real disaster, you and your team are prepared to calmly and quickly mitigate the problem.
PRIOR TO THE EXERCISE:
Review the appropriate plans for your organization, department, or functional unit. This may include Security Incident Response Plans (SIRP), Business Continuity Plans (BCP), Disaster Recovery Plans (DRP), Emergency Operations Plans (EOP), or others.
Understand your specific role and expectations, including major responsibilities, tasks, interactions with other roles, and timelines. This information should be found in the respective plans that will be exercised.
Have a copy of all plans and supporting documentation available, either on a device or in hard copy.
Ensure all necessary technology is available, charged, and accessible. Ensure access credentials for necessary devices, accounts, applications, systems, etc. are known.
Block your calendar to avoid meeting double bookings to allow a privilege of focus on the exercise. This should include at least 15 minutes before the anticipated start time of the exercise, and at least 30 minutes after the exercise.
Check for messages from the Exercise Facilitator or Incident Commander that may provide insight into the format or details of the exercise.
DURING THE EXERCISE:
Stay engaged in the exercise. Refrain from interacting with email, messaging, and texting threads that are not exercise related.
Pay attention to the specific objectives of the exercise outlined by the Exercise Facilitator to ensure you are working toward fulfilling these objectives. The objectives typically include validating the plans, understanding your unique role, verifying incident decision criteria, testing the initial incident response (IIR) process, and communicating status.
Listen to the scenario well to consider its impact on you, your role duties, your team, your facility, and the organization. Consider all information provided and the timeline shared.
Actively engage with the exercise team to fully work through the scenario and any relevant injects that add mid-exercise course corrections.
Let the story lead the exercise. Recognize that occasionally there may be a technical fact or other detail presented by the Exercise Facilitator that isn’t 100% perfect. Go with the intent to keep the exercise moving along rather than arguing that the scenario would never happen in this way.
Any exercise related communication should include obvious indications that this is an exercise or a drill or a test, so as to not confuse anyone about whether this is a real incident. This includes both verbal and written communication (electronic or hard copy).
Throughout the exercise, look for areas of improvement in the respective plans, supporting documentation, processes, tasks, communication, timing, team members, and other resources. Make note of improvement opportunities and share with the Incident Scribe and Exercise Facilitator after the exercise. Provide honest feedback with the facilitators in order to improve any noted aspect.
Interested in facilitating a tabletop exercise for your organization and don’t know where to begin? Our experienced advisors would love to help you walk through the process. Contact Us today!