Tabletop exercises enable organizations to analyze potential emergency situations in an informal environment, and are designed to foster constructive discussions among participants as they examine existing operational plans and determine where they can make improvements.
Such exercises seem like a natural for information and physical security, because they provide a forum for planning, preparation and coordination of resources during any kind of attack.
“Tabletop testing generally takes the form of a discussion-based exercise, and involves reviewing roles, responsibilities and response efforts required to respond to a given security incident,” says Jay McLaughlin, CSO and senior vice president at Q2, a provider of software for the financial services industry.
“Testing tends to provide a high-level estimate of the potential for success in the event of such an incident,” McLaughlin says. “The major benefit of using these types of exercises is that they provide real scenarios in a non-threatening, non-disruptive format—and can be rather economical to conduct. The goal [is] that participants and management become more aware of possible gaps or weaknesses that may exist in the incident response plan.”
But what are the best practices for using security tabletop exercises? We asked some security executives to weigh in on the topic and here are a few of their suggestions.
Take the time to prepare for the exercise. “Preparation is a critical key to success in these exercises,” McLaughlin says. “During the planning phase, the objectives, scope, and participants must be determined.”
This is often the most time–consuming phase of planning for the exercise itself, but will ensure that the exercise is valuable, McLaughlin says. “When conducting the exercise, it is important that the facilitator enforces boundaries and helps guide the conversation, to prevent the group from going down the proverbial rabbit hole, which can often derail the exercise,” he says.
Conversations should be focused on the efforts required for detection, containment, eradication and recovery from an incident, McLaughlin says. Following the exercise, a post-incident summary of the activities should be documented and reviewed, he says. This review should capture lessons learned, as well as what could be done to improve the overall response efforts of future incidents.
Involve multiple parties from throughout the organization. Develop a list of business function leaders from across different areas of the company that will be part of the table exercises team in addition to those from security.
“A tabletop exercise allows you to not only test your incident response capability, but it gives you the opportunity to coordinate across various teams including human resources, communications, legal, compliance, IT, physical security, etc.,” says Mary Chaney, senior team leader, Incident Response & Data Management, at GE Capital Americas, a financial services unit of General Electronic Co.
“The problem that we as security professionals face is the lack of visibility until something bad happens,” Chaney says. “A tabletop exercise gives you the ability reach out in a non stressful environment to ensure the relevant parties are engaged timely and appropriately. Most importantly, [other] business leaders actually know your name and that you are there to help.”
Involving business leaders in tabletop exercises “also gives senior leadership comfort in knowing that we are doing something to test our response and communications capability,” Chaney says. It’s a good idea to draft a report of the findings “and share it with all relevant stakeholders,” she says. “Seek assistance with addressing gaps in the process and take the time to solidify who actually has decision making ability, before the crisis happens.”
Having others from outside security sitting in on a drill can provide “a level of awareness as to why [information security] imposes controls that prior to the drill may have been viewed as excessive,” says Mark Olson, director of information security at Iron Mountain, a provider of storage and information management services.
“By running a drill that follows an attack from drive by to a simple compromise of a desktop followed by a sideways attack on a server, [security] starts to make sense,” Olson says. “Suddenly, the [information security] approach and program philosophy are no longer a ‘sky is falling’ theory but has a tangible risk reduction purpose. The tabletop exercise is the opportunity to demonstrate the purpose and value of our InfoSec program.”
Make sure the participants know the ground rules of the exercise. “Communicate what is in scope for the exercise and out of scope,” says Elayne Starkey, CSO for the State of Delaware.
“Participants get frustrated if the ground rules aren’t explained or provided to them before the exercise,” Starkey says. “Frustration can lead to those individuals having a negative experience during the exercise, and could result in them not getting a lot of value from the exercise.”
Participants could then decide that exercises are a “waste of time” and not volunteer to participate in others, Starkey says. “In our exercises, each participant receives a copy of the official ground rules,” she says.
-Elayne Starkey, CSO for the State of Delaware
Ensure that the participants know how to communicate during the exercise. “For example, are they to simulate communications or should they actually communicate their decisions to other individuals that are participating?” Starkey says.
Leverage resources from within your industry and the government. Some industry organizations provide services to help companies conduct tabletop exercises.
For example, the Financial Services—Information Sharing and Analysis Center (FS-ISAC) is a financial services industry forum for collaboration on critical security threats facing the global financial services sector.
GE Capital Americas belongs to FS-ISAC, Chaney says. “They have several different types of tabletop exercises that are facilitated by them, which cover various types of scenarios,” she says. “The exercises are designed to test internal and external response capabilities.”
In a recent exercise with FS-ISAC, GE Capital tested communications inside its environment and determined at what point an event rises to the level where the company should communicate with other FS-ISAC members.
It’s also a good idea to invite outside agencies from federal, state and local government to participate. There are two reasons to do this, says Robert Connors, director of preparedness, Wounded Warrior Project Partnership at Raytheon Co., a provider of electronics, defense, communications and other systems.
“First, to get to know them and for them to get to know your environment before a crisis occurs,” Connors says. “Second, so they can learn from you and share best practices with you. It's a mutually beneficial partnership.”
When exercising, broader can be better. When structuring a tabletop it’s important to scope the breadth of the exercise, Olson says. “When running a drill from detection through customer and public disclosure, a wealth of knowledge of your program is presented,” Olson says.
“In the InfoSec world we typically view drills as the opportunity to validate our processes and procedures,” Olson says. “In a drill that runs through to handling the public disclosure you gain much more. It provides a view into the organization’s understanding of information security. It gives insight into how effective your security awareness training program is.”
Make the scenario as realistic as possible.“People tend to try to ‘fight’ the scenario,” Starkey says. “If it is a realistic scenario or event that is simulated, the fighting doesn’t occur. Invite subject matter experts to the planning team to accomplish this.”
For example, a recent exercise in Delaware was a cyber attack on the power grid, “and we included a rep from our largest utility to help write the exercise injects,” Starkey says.