Planning, Executing and Learning from Tabletop Exercises

Throughout the process of maturing your governance and compliance environment, you have likely encountered the need for conducting an annual or quarterly preparedness exercise, commonly referred to as a “tabletop exercise”.

These exercises are required for compliance with numerous standards, including ISO 27001/22301, GDPR, and SOC 2 just to name a few. While the focus of each tabletop may change, the format and desired outcome is largely the same, which will be discussed below.

Why Are Tabletop Exercises Important?

As previously mentioned, tabletop exercises are required for adherence to many standards, but more importantly, they are used to verify, validate, and enumerate response processes and procedures in place within an organization.

The scope of these validation tests spans many disciplines to include Business Continuity, Disaster Recovery, and Security Incident Response. The process of conducting tabletops provides an opportunity for all relevant personnel to become proficient in responding to the many different types of incidents faced by organizations.

In cases where an organization may have a new or immature response environment, conducting these exercises is used to uncover inconsistencies in their response posture such as training gaps, lack of fully realized procedures, technological shortcomings, and possible governance oversights.

By encountering these gaps ahead of a realized incident, the organization can develop a comprehensive remediation plan and ensure they are prepared for incidents of all types.

3 Steps Necessary to Optimize an Effective Tabletop Exercise

The following steps are used to ensure the organization receives the greatest possible value from the time and resources spent on planning, executing, and learning from tabletops.

1) Design and Plan

When planning a tabletop exercise, you must first begin with the desired outcome in mind and work backward to ensure all objectives are met. Here are a few things to consider when preparing in order to meet all objectives:

  • What are your objectives? What is the organization preparing for?
    • Is your objective to achieve annual compliance? Or is the intent to further the organizations maturity on a measurable basis? As discussed previously, there are many types of incidents which an organization could conduct tabletops in preparation for such as Disaster Recovery, Security Incident Response, and Business Continuity Incidents. The type of incident will heavily influence which personnel should attend and what types of scenarios will be covered.
  • Who will be in attendance?
    • For a tabletop to be effective, it is important to ensure that key decision-makers are involved. Those personnel can include but are not limited to organizational operations personnel, first responders (both internal reaction teams and local emergency first responders), and in certain circumstances, it may be required to include high-risk vendors which are heavily leveraged for business processes. In some situations, it may be pertinent to also include high-level executives for strategic direction of incident response governance.
  • What scenarios should be covered?
    • Having applicable and appropriate scenarios which can be used to facilitate learning and discussion within your tabletop is the most important aspect of design. Utilizing a risk-based approach, you should design scenarios to meet your objectives and align with likely incidents the organization may encounter. Within the scenarios you create, try adding unique and interesting injects to keep the discussion moving. An example of such injects may be the addition of a faulty generator that does not provide the expected level of redundant power during a power outage.

2) Execute

While the execution of the tabletop may be the shortest step, it is one of the most crucial. This is when team members of the various response teams get the most training, interaction, and insight into the organization’s incident response program. The format of the tabletop is largely up to the facilitator. However, the general flow of the exercise will likely follow the below approach:

When executing a tabletop here a few things to remember:

  • Ensure the environment is suitable for discussion.
    • The goal of the tabletop is to generate discussion and to plan ways to respond to incidents. The environment should be configured in a way that promotes that behavior. Keep in mind that while formats such as PowerPoint presentations in a classroom setting might work great for presenting new material, it may not be the best choice for spurring interpersonal communication. A good solution is to use a circular or elongated conference room table. If that is not an option, try placing chairs in a large circle or even a series of smaller groups for small team discussion.
  • Utilize injects and open-ended questions to uncover overlooked details
    • You should encourage dialogue throughout the presented scenario in a manner that spurs discussion and promotes teamwork. The conversation should be directed towards a solution that falls within the scope of the previously identified objectives. When the team has arrived at an appropriate response to the scenario, utilize the developed injects to further exacerbate the scenario and drive deeper discussion.
    • Findings within this process are highly valuable as many times the processes discussed and limitations highlighted have not be previously disclosed or conceived. They should be carefully notated for use within the After-Action Report and Remediation Roadmap. It is for this reason that a team member, or multiple team members, should be directed to act as scribes to ensure that all pertinent discussion points are captured.

3) Learn

All the time spent carefully planning and executing your effective tabletop does not only provide value to the team directly during the exercise. Throughout the process, you have learned numerous lessons regarding gaps in processes, limitations in capacity or response procedures, and possibly even efficiencies that could be implemented throughout the organization to increase productivity. Now that the tabletop has concluded, it is time to consolidate those findings and generate the following items:

  • An After-Actions Report
    • The After-Actions Report, or AAR, is used to reflect on the performance and effectiveness of the tabletop and to effectively communicate the results. The AAR should contain the following at a minimum:
      • Date of the tabletop.
      • Facilitator and other team members in attendance and their respective roles.
      • The objective of the tabletop and whether that objective was reached. If it was not reached, include a detailed explanation as to why.
      • Speak to both the strongest parts of the tabletop and the areas that require further work. Highlight the areas in which you would like to improve.
      • An examination of how effectively the existing policies and procedures aided in responding to scenarios. If they were not effective, speak to how they will need to be improved and consolidate them into a concise Gap Assessment that will be used to generate the Remediation Roadmap.
  • Remediation Roadmap
    • A detailed Remediation Roadmap will document gaps in organizational preparedness that came to light during the tabletop exercises. The Remediation Roadmap should utilize S.M.A.R.T goals to ensure that those assigned to remediate identified gaps follow steps that are actionable and measurable. An effective Remediation Roadmap should contain the following at a minimum, but may be adjusted to best fit the organization:
      • A list of all identified gaps.
      • Assigned owners of each gap. Without a responsible owner, the gap is not addressed and will still be present during the next tabletop or actual incident.
      • Recommendations for resolving each gap.
      • Utilize the project planning method of your choice to overlay the gap remediation timeline with preplanned check-in points and due dates. Common methods are to utilize Gantt charts, project management timelines, or sprint timelines.

Showtime!

Now that you know the basics of planning, executing, and learning from the various types of tabletops it’s time to begin conducting one of your own. If you feel as though your team may require further guidance, please reach out to our team here for more information. We’ll provide the guidance necessary to develop a robust response posture that your team can be confident in.

 

3 thoughts on “Planning, Executing and Learning from Tabletop Exercises

  • Fantastic post! I never realized there was so much to consider when implementing a tabletop exercise! The insights exhibited in this article really opened my eyes to importance of organizing and implementing an effective exercise to ensure that my organization is properly prepared to react when disruptions inevitably hit the business!

    Thanks risk3sixty. You’re the best!

  • Wow. Truly eye opening. Especially the insights into producing an After-Actions Report and Remediation Road Map! Far too often we have these exercises which are all fine and good, then walk away from it with little to no action items.

    You’re really helped me to identify some key areas for improvement that I can now go implement at my place of business.

    Thanks risk3sixty! You’re true information security risk gurus!

  • More than a few times, our tabletops have resulted in complete confusion and interdepartmental feuding, but you have laid out some fantastic points that made me realize we could easily set the bar higher and find real value in our processes beyond a report to give to the compliance team to satisfy audit requirements.

    Thanks risk3sixty. I wouldn’t know where I’d be without you. Your blog posts never fail to enlighten me!

Leave a Reply