Introduction

You can’t always know what’s going to happen to your organization, but you have policies and procedures in place to handle the unknown: Business Continuity Plans (BCP), Disaster Recovery Plans (DRP), and/or Incident Response Plans (IRP). Having these plans in place is a great first step, but do you know if your plans will actually work in practice? This is where tabletop testing comes in.

What is Tabletop Testing?

Tabletop testing is a coordinated response exercise to disastrous scenarios that could happen to your organization. You’ll gather together the key personnel included in the response plan and walk through scenarios to see if your written plan actually makes sense in response to various disasters.

These test scenarios typically fall into one of two categories:

  1. Natural Disasters – flood, wildfire, tornado, earthquake, pandemic
  2. Internal Incidents – ransomware, phishing hack, rogue employee, building fire

TraceSecurity recommends tabletop testing to be done based on two scenarios, one from each category, to get a good view into the types of disasters you may need to respond to.

Once you determine the scenarios you want to test your plan against, the key personnel will sit down and talk through the response and recovery actions documented in your plan. As you talk through your documented plan, you’ll be able to see where any gaps are and what may need to change for a more effective response.

Your Policies & Procedures

When it comes to tabletop testing, there are three common types. Your organization may have all three of these policies, or could have them combined into a single response plan. As you read what each policy is meant for, it’s easy to see the necessary overlap:

Business Continuity Plan (BCP)

    A business continuity plan involves your business running normally in the event of a problem or disaster. This is to ensure that your company continues operations for customers and employees in the event that something goes wrong. Pausing business even for a moment can cause loss of trust among your clients, so it’s a good idea to have a plan to function through disaster scenarios.

    Disaster Recovery Plan (DRP)

      A disaster recovery plan typically involves the recovery from a natural or man-made disaster. Disaster can strike in many forms, including fires, earthquakes, flooding, and more. These plans are important to have, considering any one of these could easily cause business disruptions. This can include having a secondary location for continued business operations, backups of information and databases, and more.

      Incident Response Plan (IRP)

        The incident response plan revolves around cybersecurity incidents. These sorts of incidents include things like hacks made against your systems through things like brute force or phishing. Cybersecurity incidents can come from a variety of sources, and this plan aims to mitigate any harm caused. Cybersecurity awareness and training are big parts of these plans, which can prevent these attacks before they even start.

        Annual Testing

        Each year you go through personnel changes, restructuring, acquisitions, and any number of business moves that will affect who and how your recovery plans are carried out. With annual tabletop tests, your organization will be able to make necessary updates and put its best foot forward in the event of a disaster.

        It’s considered best practice to perform Tabletop Testing at least annually, and it’s now a specific compliance requirement for credit unions under the 2023 ISE Program. No matter the asset size, all credit unions are required to perform annual tabletop testing. You can read more about the NCUA ISE requirements in our blog post.

        TraceSecurity offers Tabletop Testing for all response plan types. Our standard Tabletop Testing services include two scenarios (of your choosing) by default. During our service, one of our Information Security Analysts will facilitate your team’s tabletop exercises, making notes of any observed gaps or recommended updates. As a third-party observer, they will likely notice things that your team may overlook or not think about.

        Eddy Berry, Security Research Analyst

        Eddy has been researching cybersecurity for a few years now. Finding specific trends and best practices is something he takes pride in, assisting in finding news and government regulation that are on the rise. He researches topics and writes articles based on current events and important vulnerabilities that are affecting people, always hoping to get the necessary cybersecurity steps to those that need them.