Conduct an Information Security Incident Response Exercise

Now that you have written your Information Security Incident Response Policy and Incident Response Plan, it’s time to exercise your plan to make sure everyone knows their roles and that you have not missed a critical aspect of responding to an incident.

This is often referred to as a Tabletop Exercise. Tabletop exercises can be simple, or they can be very complex. If you follow a few logical steps, you can be sure that the incident response plan you have written can be implemented in the event you have an information security incident.  Use the scenarios included in this guide or develop a scenario that could happen in your business environment.

Key steps in your exercise:

1. Assemble your team. Start with the team members you have identified in your policies. At a minimum, your team should have representatives from IT, Legal, Executive leadership, Public Relations and Human Resources. (In smaller dealerships, this may be two or three people!)
2. Allocate sufficient time. We recommend 4 hours.
3. Assign someone to capture lessons learned and items you want to change in your documentation.
4. Using a selected scenario (ransomware, data breach, phishing scam) talk through ALL actions from event discovery through resumption of normal operations. This includes input from each team member and business unit. Use the plan and policy documents as your guideline.
   • Think of the steps: DETECT, RESPOND, RECOVER then IDENTIFY the areas in which you need to make changes or implement new controls and PROTECT by implementing the necessary changes.
5. Identify team member action items required after the exercise is completed.
6. Edit your documents as required. This may include other program policies such as Access Control, Acceptable Use, and others.
7. Put the date on the calendar for your next exercise.

Exercising or rehearsing your incident response plan is critical to mitigating the effects of a security incident. It will help you meet any federal and state reporting timelines and requirements. It is also a great way to “reality check” your policies in general.

If you’d like more detailed information on conducting an Incident Response Exercise, please check out the ISACA Cybersecurity Incident Response Exercise Guide.