Re: IR/DR Table-top Exercises

["Lazarus, Carolann" <lazarus () BUFFALO EDU>]

I don't know if your budget will allow use of a third party, but I just attended a CPE session on this very topic by a 
vendor - GreyCastle Security - Effective Tabletops.  They use a deck of cards to run the tabletop and it is tailored to 
your organization.  They included most everything Jim talked about plus more.  And they will provide various levels of 
service.  I have not used them, so this is not a recommendation, but just information.  The presenter was Reg Harnish, 
Chief Security Strategist and the session was for ISACA in Rochester, NY.

Carolann G Lazarus, CISA, CCEP
Internal Audit
University @ Buffalo<http://www.buffalo.edu/>, SUNY
716-829-6947
lazarus () buffalo edu<mailto:lazarus () buffalo edu>

From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Jim 
Dillon
Sent: Wednesday, April 29, 2015 6:35 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] IR/DR Table-top Exercises

John,

Years ago I conducted a DR tabletop in lieu of a DR audit.  We designed an incident in collaboration with campus police 
and fire specialists that represented a chemical spill during tile repairs in the computing center causing a small fire 
and subsequent evacuation of the computing center.

The key to the exercise was that it was small and believable, AND we had the expertise of these external agencies to 
guide our consequences.  For example the necessary arson investigation would require at least a 24 hour shutdown of the 
facility, something as IT and audit folks we may not have accounted for.

Another success factor was the mostly random (one judgmental!) exclusion of 14% of the staff from the exercise to 
represent vacation, illness, and other legitimate absence you would likely encounter on any given business day.  These 
folks could observe and take notes but could not participate in the table top exercise.

As a result of what I thought was a successful exercise (the IT group continued table tops for some years after this 
exercise) I have the following considerations:


1.      Keep the event believable.  Don't try for the 1000 year earthquake.  A catastrophic power failure, small fire 
or failure in major HVAC equipment, a boiler explosion may be sufficient.  Smoke has some nasty long-term side-effects 
so fire incidents can be powerful.  In real life I experienced a small fire/smoke incident at a church office where all 
computing equipment, although professionally serviced and cleaned, had to be replaced within 3 months due to the 
effects of smoke and acids in the smoke that damaged equipment leads and connectors.  Every drive, computer, phone, 
copier, and so on had to be replaced.  The recovery/clean service was a total failure in the fairly short run.  Over 75 
computers had to be replaced.  The fire was contained to an lawyers office space all the way across the U shaped 
business office building.

2.      Involve police and fire experts in your exercise.  They will bring real-life considerations that may be 
overlooked otherwise.  Plan ahead of the incident to ensure realistic authorities and interruptions are included in the 
problem solving considerations.

3.      Exclude a representative number of participants so that the table-top must react to missing skills and 
capabilities.  This is realistic and helps pinpoint weaknesses in the plan or plan documentation.

4.      Involve a facility or services that have critical and time-relevant services.  Having to manage screams and 
urgency are also realistic factors for the exercise.

5.      Include failures in recovery equipment, generators or other emergency dependencies particularly where you may 
know they are not regularly and systematically tested.  This is realistic, I've seen it personally several times and it 
reinforces the need to test, not presume.

6.      Consider a continuity situation.  I have found over the years and organizations that continuity is seldom as 
well defined as recovery.  Where will supplies come from, who has the contacts list,  what are the normal day-to-day 
logistics that have to be maintained when in continuity operation mode?  Do we have assurance of timeliness on spares, 
supplies, service connections, etc.

I hope this at least provides some ideas to help you in your quest.  I think such exercises can be very valuable if 
done with proper input, preparation, and realistic contingencies.

Best regards,

Jim Dillon


Jim Dillon, CISA, CISSP
Director of IT Audit Services, CU Internal Audit
University of Colorado
Primary Phone and Messages: 303-735-7028
Grant Street Phone: 303-837-2201
Audit Administration: 303-837-2195
Fax: 303-837-2190
jim.dillon () cu edu<mailto:jim.dillon () cu edu>
[Description: R:\Branding\MASTER\System\Logos\cu-logo_fl.jpg]

From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Knights, 
John
Sent: Wednesday, April 29, 2015 6:52 AM
To: SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU>
Subject: [SECURITY] IR/DR Table-top Exercises

Good Morning All-

We are making some changes to our incident/disaster response and recovery plans. We have conducted table-top exercises 
in the past in an effort to find strengths and weaknesses. Unfortunately not all exercises make the best sense for 
higher ed, in our opinion and I am reaching out to you all to see if you have any suggestions for table-top exercises 
to cover incidents and disasters. Feel free to reply to the listserv as I'm sure the community at large could benefit.

Thanks,
John

______________________________________________
John Knights
Information Security Officer
Wentworth Institute of Technology
Division of Technology Services