Challenges
- Incident Response Plans must be tested regularly to validate the response strategies and to ensure that response teams understand and adhere to expected procedures.
- All too often, Incident Response Plans are developed and then shelved, never to be reviewed until an emergency happens.
- Some, Incident Response Plans are developed within in the security team but, never socialized with other organization stakeholders that are needed to contribute during an actual incident.
- Many Incident Response Plans are developed around worst-case scenarios, and therefore are not used for the majority of incidents affecting organizations.
- Organizations without formally trained incident responders rarely have the expertise to develop effective in-house exercises that truly stress test the plans.
Solution
An Incident Response Plan is much more effective if it gets regularly practiced and continuously improved. The Incident Response Tabletop Exercise gives organizations the opportunity to formally practice various incident scenarios to validate the effective of their plans. Trained facilitators lead the organization’s response team through round-table discussions tailored to your organization’s unique threats and capabilities. Incident Response Tabletop Exercises can be delivered in one of three presentation formats:
- Technical Staff– Technical staff exercises are usually 2-3 hours in duration and focus on the technical responders from the security team and other IT teams to exercise detailed technical procedures presented in the IRP and playbooks.
- Executive Staff – Executive staff exercises are usually 1-2 hours in duration and are focused at a higher level for senior leaders to discuss the incident’s consequences and the business decisions required as a result of those consequences. Participants usually include leaders from the IT and Security Organizations along with General Counsel, Finance, Risk, Public Affairs, and HR. Topics discussed at this level can include incident materiality, cyber insurance, regulatory compliance, breach notification, and ransom demands.
- Joint Staff – Joint staff exercises are more involved exercises (3-6 hours) that initially concentrate on just the technicians in the early session, and then transition to a joint exercise with the executive team in the latter session. The Joint Staff exercise covers both areas of focus and provides additional opportunities to simulate the communication and coordination between the responders and senior leaders.
After the exercise, the organization receives a comprehensive report that includes both positive observations and identified areas for improvement. Opportunities for improvement are supplemented with improvement recommendations and a suggested roadmap for implementing those recommendations. The full engagement concludes with a formal presentation of the final report to the organization.
All tabletop exercises are designed to be delivered remotely, but on-site engagements can be accommodated in most circumstances.