Conducting Incident Response Plan Table Top Exercises

Conducting Incident Response Plan Table Top Exercises

So, your Incident Response Plan looks good on paper – it’s been mapped, planned, documented. But has it been tested? Will it work?

Testing and drilling your employees and your Incident Response Team to understand how to respond in the event of an incident not only prepares them for an actual event, but it also helps to ensure that your plans are current and effective in the existing threat and organizational climate. Experts suggest that participating in table top exercises to simulate a real-world scenario is the best way to prepare.

When facilitating these exercises at your organization, be sure that the employees understand the purpose for conducting the exercises. They should be fully engaged so that you can determine if your team has all bases covered and be able to identify any previously unknown gaps in your current plan. The should understand that participating in these exercises will help determine if everyone can hypothetically talk through their respective functions during an incident and be sure everyone fully understands their role when responding to an actual incident.

The facilitator should present a scenario, asking participants specific questions related to the scenario, and from there, participants will engage in a discussion that focuses on roles, responsibilities, coordination, and decision-making during an incident. Prepare several scenarios in advance that will address specific areas of your Incident Response Plan you wish to test. Some sample scenarios include:

  • During a routine evaluation of system logs, an administrator discovers that company data has been obtained by an unauthorized user account.
  • A remote user has lost his/her laptop containing stored sensitive company data.
  • After a recent move, it has been discovered that a locked cabinet containing sensitive company data is missing.
  • A former employee, disgruntled after employment termination, has realized that he/she still has remote access to the company’s server and decides to infect the system with a virus.

We are already familiar with the stages of Incident Response: Preparation, Detection and Identification, Containment, Remediation, Recovery, Lessons Learned. Once presented with a scenario, the participants should begin going through these stages to determine what steps to take to handle the incident appropriately.

Here are some example questions that participants should be addressing during each stage of the exercise:


  • How are we currently preparing for a security incident? What are we doing to prevent an incident from occurring? What are we doing to limit the impact of this type of incident occurring?
  • Do we have proper policies and procedures in place for handling an incident? Are they adequate?
  • What actions would have helped to prevent this type of incident from happening?

Detection & Identification

  • What controls are currently in place that would help identify this incident, and what are the procedures for reporting this incident?
  • How do we detect malicious activity of unknown origin on our systems?
  • How would we respond quickly to a suspected incident?
  • What tools or assets do we have to assist us in detecting unauthorized activity?
  • How would we assess the incident?
  • Do we have a specific incident response team for this type of incident?


  • How are we documenting the incident? What evidence should be collected? Have all aspects of the incident been assessed? (size, scope). What is the risk of the incident on operations?
  • What do our procedures say about containing an incident?
  • What strategies should we take to contain the incident?
  • How can we prevent further damage from this incident?
  • What could potentially happen if the incident were not contained properly?


  • How can we clean the system?
  • Have we documented the footprint of the intruder? Where did it originate?
  • Have we made necessary changes to ensure successful restriction of a repeat incident?
  • Have the changes been tested?
  • Have we implemented any remote wipe capabilities?
  • Has a system access review been completed to ensure there are no other users that need to be removed?
  • What chain of custody procedures have been modified to ensure incident will not reoccur?


  • How do we securely restore the system?
  • What monitoring procedures will be in place to ensure successful recovery?
  • What backups of files existed to replace the lost files?
  • Have we prepared a backout plan if recovery is unsuccessful?
  • Have we considered alternatives for database access without the infected system being involved?

Lessons Learned

  • What happened? What gaps can we now identify from this incident?
  • How do we go about regaining our customers’ confidence?
  • Now we must revise our policies and procedures to prevent future attacks. What adjustments should be made to avoid these attacks going forward?

Use this exercise to be a teaching, educating, and inspiring experience. Practicing your step-by-step Incident Response Plans will help your organization to be able to respond quickly and effectively during a real-world incident.

With help developing your Incident Response Plan or for unbiased guidance on Information Security best practices, contact us today.

More Resources

SOC 2 Academy: Incident Response Best Practices

SOC 2 Academy: Testing Your Incident Response Plan

2 replies

Trackbacks & Pingbacks

  1. […] While organizations spend so much time focusing on how to keep malicious attackers at bay, sometimes they can overlook what they should do in the event of a breach actually occurring. Incident response plans are not only important when it comes to dealing with a flood or power outage. Don’t be caught with your sails down if your organization is compromised and ensure you have a fully developed incident response plan that has been both documented and tested. Organizations should have a designated team who is available 24/7 to handle any type of security incident. These teams must be fully aware of their responsibilities in the event of a data breach and undergo regular training. Here are the six steps of an incident response plan: […]

  2. […] More details on developing an incident response plan (IRP) can be found, here. […]

Comments are closed.