Educause Security Discussion mailing list archives
Re: IR/DR Table-top Exercises
From: "Lazarus, Carolann" <lazarus () BUFFALO EDU>
Date: Thu, 30 Apr 2015 14:17:16 +0000
I don't know if your budget will allow use of a third party, but I just attended a CPE session on this very topic by a vendor - GreyCastle Security - Effective Tabletops. They use a deck of cards to run the tabletop and it is tailored to your organization. They included most everything Jim talked about plus more. And they will provide various levels of service. I have not used them, so this is not a recommendation, but just information. The presenter was Reg Harnish, Chief Security Strategist and the session was for ISACA in Rochester, NY. Carolann G Lazarus, CISA, CCEP Internal Audit University @ Buffalo<http://www.buffalo.edu/>, SUNY 716-829-6947 lazarus () buffalo edu<mailto:lazarus () buffalo edu> From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Jim Dillon Sent: Wednesday, April 29, 2015 6:35 PM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: Re: [SECURITY] IR/DR Table-top Exercises John, Years ago I conducted a DR tabletop in lieu of a DR audit. We designed an incident in collaboration with campus police and fire specialists that represented a chemical spill during tile repairs in the computing center causing a small fire and subsequent evacuation of the computing center. The key to the exercise was that it was small and believable, AND we had the expertise of these external agencies to guide our consequences. For example the necessary arson investigation would require at least a 24 hour shutdown of the facility, something as IT and audit folks we may not have accounted for. Another success factor was the mostly random (one judgmental!) exclusion of 14% of the staff from the exercise to represent vacation, illness, and other legitimate absence you would likely encounter on any given business day. These folks could observe and take notes but could not participate in the table top exercise. As a result of what I thought was a successful exercise (the IT group continued table tops for some years after this exercise) I have the following considerations: 1. Keep the event believable. Don't try for the 1000 year earthquake. A catastrophic power failure, small fire or failure in major HVAC equipment, a boiler explosion may be sufficient. Smoke has some nasty long-term side-effects so fire incidents can be powerful. In real life I experienced a small fire/smoke incident at a church office where all computing equipment, although professionally serviced and cleaned, had to be replaced within 3 months due to the effects of smoke and acids in the smoke that damaged equipment leads and connectors. Every drive, computer, phone, copier, and so on had to be replaced. The recovery/clean service was a total failure in the fairly short run. Over 75 computers had to be replaced. The fire was contained to an lawyers office space all the way across the U shaped business office building. 2. Involve police and fire experts in your exercise. They will bring real-life considerations that may be overlooked otherwise. Plan ahead of the incident to ensure realistic authorities and interruptions are included in the problem solving considerations. 3. Exclude a representative number of participants so that the table-top must react to missing skills and capabilities. This is realistic and helps pinpoint weaknesses in the plan or plan documentation. 4. Involve a facility or services that have critical and time-relevant services. Having to manage screams and urgency are also realistic factors for the exercise. 5. Include failures in recovery equipment, generators or other emergency dependencies particularly where you may know they are not regularly and systematically tested. This is realistic, I've seen it personally several times and it reinforces the need to test, not presume. 6. Consider a continuity situation. I have found over the years and organizations that continuity is seldom as well defined as recovery. Where will supplies come from, who has the contacts list, what are the normal day-to-day logistics that have to be maintained when in continuity operation mode? Do we have assurance of timeliness on spares, supplies, service connections, etc. I hope this at least provides some ideas to help you in your quest. I think such exercises can be very valuable if done with proper input, preparation, and realistic contingencies. Best regards, Jim Dillon Jim Dillon, CISA, CISSP Director of IT Audit Services, CU Internal Audit University of Colorado Primary Phone and Messages: 303-735-7028 Grant Street Phone: 303-837-2201 Audit Administration: 303-837-2195 Fax: 303-837-2190 jim.dillon () cu edu<mailto:jim.dillon () cu edu> [Description: R:\Branding\MASTER\System\Logos\cu-logo_fl.jpg] From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Knights, John Sent: Wednesday, April 29, 2015 6:52 AM To: SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU> Subject: [SECURITY] IR/DR Table-top Exercises Good Morning All- We are making some changes to our incident/disaster response and recovery plans. We have conducted table-top exercises in the past in an effort to find strengths and weaknesses. Unfortunately not all exercises make the best sense for higher ed, in our opinion and I am reaching out to you all to see if you have any suggestions for table-top exercises to cover incidents and disasters. Feel free to reply to the listserv as I'm sure the community at large could benefit. Thanks, John ______________________________________________ John Knights Information Security Officer Wentworth Institute of Technology Division of Technology Services
Current thread:
- IR/DR Table-top Exercises Knights, John (Apr 29)
- Re: IR/DR Table-top Exercises Jim Dillon (Apr 29)
- Re: IR/DR Table-top Exercises Lazarus, Carolann (Apr 30)
- Re: IR/DR Table-top Exercises Knights, John (Apr 30)
- Re: IR/DR Table-top Exercises Lazarus, Carolann (Apr 30)
- Re: IR/DR Table-top Exercises Jim Dillon (Apr 29)