After completing your organization’s Incident Response Plan, you must be prepared to use that plan amongst your teams. But when presented with endless scenarios and angles in which to tackle, and prepare with, your Incident Response Plan, what should you do?
IR Plans are living documents, kept alive by conducting tabletop exercises and by walking through the plan using real-life scenarios. Tabletop exercises can help you prepare to put that plan into action in the real-world.
A lot of decision-making goes into planning the tabletop exercise itself: which scenarios, which assets, which people, which departments. An expert facilitator can make those decisions for you, focusing on the most critical aspects of your IR Plan and validating those areas of concern.
If you’re wondering where you should begin in validating your IR Plan, tabletop exercises can be approached in a few different ways that will bring you the most value and give you the greatest return on your investment.
1. Conduct One Tabletop Exercise: Solo, Silo.
If you’re brand new to tabletop exercises, this is a common option: conduct a single tabletop exercise with your IT team. You could also test your marketing team, executive team, or legal team. With this approach, however, the team involved in the conducted tabletop exercise would be preparing in a silo, not interacting with or involving other teams that may be necessary in the given scenario.
But by focusing on one team, let’s say your IT team, you can better prepare those individuals to work well together with other existing teams in the long-run.
Overall, this approach is a typical starting point for an organization and can be expanded into the other approaches below.
2. Conduct Two Tabletop Exercises: Track System.
This approach allows you to conduct two tabletop exercises in tandem. The IT or security team would conduct a tabletop exercise first, then the tabletop would be conducted in conjunction with C-suite level leadership.
We often find that IT and security teams are a bit unprepared to put their incident response preparedness to the test in front of executive level management. A bit of extra practice in the first round allows for better communications and an overall more effective exercise when conducted with C-suite.
Overall, this two track system is effective for organizations looking to make IR preparedness part of their overall infosec and cybersecurity strategy.
3. Conduct Four Tabletop Exercises: Progressive.
When purchasing or conducting four tabletop exercises, the facilitator can plan an entire series of scenarios and exercises to challenge your teams. Each exercise can become progressively more difficult or intricate, focusing on deep insight into your people, processes, and technology.
An expert facilitator can provide guidance on critical areas of your business and direct your attention and preparedness to high priority items in the current cybersecurity landscape.
Overall, this approach can be beneficial for all, working from your starting point to a better prepared organization.
4. Conduct As Needed: Adaptable.
You may have heard us say this before, but organizations change over time. Your IR Plan must adapt as well.
People leave, new employees arrive, contracts with 3rd party vendors begin and end. Your business grows, technology changes, your assets change, data is moved to the cloud. These changes must be reflected in your IR Plan.
Overall, this option best serves those tabletop exercise veterans who have solid Incident Response preparedness foundations and have a more mature security posture. This adaptable approach is a great goal for organizations to have for their long-term security.
There you have it! Four ways to approach your Incident Response preparedness through conducting tabletop exercises.
Wherever your security posture lies in the moment, whether it’s beginning to form your IR Plan or adapting your response to a changing environment, RedLegg is here to guide you, and facilitate your teams, in what could benefit your company’s response and better protect your company from a breach.
Want more? Read...
