An incident response plan (IRP) is a playbook for your incident response team. An IRP that's forgotten until an emergency arises isn't much help. Conducting a tabletop exercise is a great way to test your plan and make sure all your stakeholders understand their role in an incident response. It lets you identify any gaps or areas of confusion — before you experience an incident — so that you can refine your IRP and position your team to be effective when an incident occurs.
Each tabletop scenario involves hypothetical facts. The facts are broken up into realistic segments. You will start with a minimal amount of information, like the information you might receive when the incident is first discovered. As in an actual incident, the team will learn more facts as the scenario goes on. At each stage, take a reasonable amount of time to discuss the the IR team's plan for proceeding, given what the team knows, and to identify each IRT member's role in the response process. After you've gone through the whole scenario, discuss how the plan worked, whether the right people were involved, whether you missed any steps and what the consequences would have been, and then refine the plan to account for what you've learned.
The tabletop scenarios are in the form of slide decks, so you can discuss the questions at each stage and reveal new facts to participants as you play out the scenario:
On Monday morning, your IT staff starts to receive calls that employees are unable to log into their computers.
An IT employee discovers that malware has been detected on the network. Anti-virus software is unable to delete or quarantine the malware.
The Director of Alumni Relations just received a call from an Assistant Director that her car parked in her home driveway was stolen on New Year’s Eve. A laptop was in the back seat.
For additional resources related to incident response plans and for more on business resiliency, see business continuity planning.