Has your organization experienced a data breach of some scale? Even if your teams have been working diligently to meet and comply with the requirements from the PCI DSS, HIPAA, GLBA, GDPR, etc., it is still a matter of when, not if, your systems will be compromised. When creating your incident response plan it is important that you understand this risk and prepare and proactively plan for a breach event.
Requirement 12.10.2 of the PCI DSS requires organizations to review and test their incident response plan at least annually. The DSS isn’t overly specific as to how this is to be done, but a discussion-based tabletop exercise can be an excellent way to test your plan and verify that all appropriate staff members understand their individual roles and responsibilities. A tabletop exercise should not require extensive resources and will allow you to test potential real-life scenarios in an informal environment without any real risk to your organization. Done right, the exercise should help you validate effective policies and procedures, strengthen relationships with team members and partners, and identify any critical gaps or weaknesses in your disaster recovery efforts.
Why should your organization plan and host a tabletop exercise?
As stated above, a tabletop exercise can help your organization meet audit compliance requirements for PCI, as well as other compliance standards. But, the real benefit your team will gain is the experience of the coordinated effort of walking through the test together, identifying gaps in processes, and improving upon your incident response plan. It is much easier to identify potential snags during a test, compared to realizing you don’t know who to call or what to do next during an actual incident or breach.
How often should you hold a tabletop exercise?
Per the DSS, this should become at least an annual event. You may also want to hold department or area-specific tests more frequently in any high risk areas or those that experience frequent change or turnover.
What is the first step in planning a tabletop exercise?
Once you have gained support to host a tabletop exercise, or even before as a way to achieve buy-in for a test, you will need to clearly define the objectives and expected outcomes of the test. Determine the scope for the exercise and outline the goals and expectations you have. This may include things like testing your current incident response plan and identifying areas that need improvement. You may also have a goal to educate team members that aren’t typically involved in the day to day operations to become aware of the real risks and challenges you can run into. Another goal may be to build relationships and familiarity with other stakeholders as communication during an actual incident is much easier when connecting with someone you have worked with.
Who are the stakeholders that should participate?
Along with planning for an appropriate facility and selecting a training date, you will need to determine who needs to be involved. All relevant parties should be engaged in the planning process as appropriate so you can ensure their participation and buy-in. For a tabletop exercise that tests your ability to respond to a potential data breach, CampusGuard recommends you include the following staff members from across the organization:
- Senior leadership – VP, CFO, CIO, CISO, Controller
- Cash Management/Treasury
- Marketing/Public Relations staff
- Campus Police / local Police
- Internal Audit
- IT- local and central (if applicable)
- Front-line employees
You want key decision-makers in the room, as well as operations personnel that can bring experience and new ideas to the table. This can be a great way to break down silos and jumpstart constructive conversations across the organization.
How should the table top exercise be run?
You will want to have a detailed game plan that includes a list of questions that will engage all of the participants in an interactive dialogue. Make sure your script is planned but flexible enough to adapt to the discussion. Before you begin, make sure the moderator explains the ground rules for the exercise, but also make sure the environment encourages open discussion. Let all of the players know they should feel comfortable asking as many questions as they want and that it is okay to make mistakes. The facilitator should be there to help everyone think through different series of actions, ask probing questions, uncover key issues, and help the participants determine what will generate the best outcome.
What should be tested?
Take the time to create realistic scenarios that meets all of your objectives. You may want to reach out to other industry colleagues to see if they have examples for you to review or run your scenarios by your Security Advisor to see if they have additional tips or suggestions. You may want to test specific examples like an employee finding a skimming device attached to one of their card readers during a morning inspection. Or perhaps your log analysis shows an increase in network traffic. Or, you can keep your scenario more broad – perhaps your acquiring bank calls and notifies you of a suspected breach.
The scenarios should test things like:
- Timing: How long will certain tasks and operations take during an event? How long will it take to disconnect all network systems from the Internet in the event of a breach? How quickly can information be restored from back-ups? How quickly can IT determine a list of affected customers? How fast can PR get a formal statement drafted for review
- Communication: What if a key player is out of the office when the incident occurs? Have back- up personnel been defined? Are there any gaps in the communication flow
- Increased Volume: Test the abilities of your departments (i.e. call center, IT department, help desk, etc.) to expand and meet the demands of a data breach and related requests. How many support calls can staff realistically handle? Do you have additional staff that can assist with an increase in customer questions? Is someone responsible for actively monitoring the organization’s social media accounts?
- Compliance: Do the teams know and understand requirements for breach reporting for PCI, for HIPAA, for your state breach notification laws?
- Recovery: How soon can operations resume to a normal level? Which systems need to be up first? What if certain systems or information is not able to be recovered?
What happens after the exercise concludes?
What happens after the exercise is really what will determine its overall success. Take thorough notes and, following the discussion, prepare a post-incident summary of all activities and lessons learned. Note any problems or gray areas that need more investigation, and assign action items to specific participants. Allow the team members to give their feedback on the exercise and provide reasoning for how or why they arrived at the decisions they did. Document successes and weaknesses, and then develop a simple plan for addressing any failures and determining what can be done better in the future.
NIST SP 800-84 Guide to Test, Training, and Exercise Programs for IT Plans and Capabilities
NIST SP 800-184 Guide for Cybersecurity Event Recovery
CampusGuard’s Security Advisors are available to help facilitate or participate in your organization’s annual table top exercises. Please don’t hesitate to reach out to your dedicated team with any questions regarding planning or structuring your next event.
Some additional guidance from the Security Advisor Team below:
[Ko]: Tabletop exercises are one of the best methods for testing the effectiveness of your incident response plan. Due to their non-destructive nature, a small investment of time can really help to find any gaps and make necessary corrections to your plan before you really need to use it. During the exercise, be sure to listen for responses starting with “I think I would…” and note that as a gap. Make corrections to explicitly define steps so that on the next tabletop, the response is more like “I’d do xxxx, as stated on line 3 of the IRP…” Remember, cheating yourself to have a tabletop exercise complete without any identified gaps when they really do exist is only going to hurt you in the long run if/when you have to actually use the IRP.