[BreachExchange] Test Your Incident Response Team (a/k/a Tabletop Exercises)

[Inga Goddijn]

https://www.jdsupra.com/legalnews/test-your-incident-response-team-a-k-a-24074/

I have been conducting a lot of tabletop exercises lately, so it seems
timely to mention the concept now for those who many not know what they are
or how to get one scheduled for your organization.

What is a tabletop exercise and why is it relevant to your business? I am
not sure who originally coined the phrase, but we have been conducting them
for over a decade. They are quite informative, and teams at companies find
them to be very instructive on how to prepare for and respond to a security
incident. I have never walked out of a tabletop exercise without a to do
list for me and the incident response team. It’s always a great experience.

If you are thinking about putting one together, there are a couple of
things you may wish to consider:

   - Get your incident response team in place first. Know who is on it,
   what their roles are and have a kick-off meeting to discuss roles and
   responsibilities before you conduct the tabletop.
   - Bring in an outside consultant to assist—that way the scenarios are
   unknown to the team and they can’t prepare. This makes the session more
   genuine, since you can’t prepare for an actual incident and the facts are
   always different.
   - Include legal counsel in the tabletop as legal counsel serves a
   crucial role in incident response. Counsel provides advice from start to
   finish and must be involved—to discuss the importance of what can be
   included in discovery in the event of litigation following the incident,
   mistakes that have been made in the past that can be avoided, what laws and
   regulations are applicable depending on the circumstances, timing of
   including law enforcement, insurance questions and attorney-client
   privilege.
   - Use real life scenarios that capture the biggest vulnerabilities of
   the organization. The whole point of a tabletop is to prepare for the real
   incident. Try to determine scenarios that are most relevant to the
   organization’s risks so the preparation is most valuable.
   - Consider a half-day session instead of just an hour. It is very hard
   to really delve into all of the issues that come up during an incident in a
   short amount of time. I find that half-day sessions, where the team can
   grapple with several scenarios is the most effective.
   - Use scenarios that compromise different types of data within the
   organization and are caused by different threat vectors. The response may
   be different if it is employee data rather than customer or vendor data.
   - Keep a to-do list throughout the session so at the end of the session
   everyone on the team knows what their follow-up items are and a timeline
   for getting them done before the next session.
   - Start with one session. Just start. Then you can schedule additional
   sessions going forward. Most companies have at least one session annually,
   but I find that once you complete one session, additional sessions are
   scheduled for the next year biannually or quarterly as the team finds it so
   valuable and informative.

Just like testing your back-up plan is essential to respond to a ransomware
attack [view related post
<https://www.dataprivacyandsecurityinsider.com/2018/11/ransomware-and-back-up-plans/>],
testing your incident response team is important to practice for an
incident so the team is prepared and everyone understands what their roles
and responsibilities are when it happens. As I always say to clients–it is
no different than a sports team (say, the Boston Red Sox) practicing before
games so they can win the World Series. Companies that practice incident
response do much better when the real thing happens.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20181120/f7977526/attachment.html>