Tabletop Exercises and Lessons Learned
Learn the importance of rehearsing an IRP and the actions to take after an incident concludes.
We'll cover the following
Table top exercises
A plan has little value if it hasn’t been rehearsed. Running through an IRP before responding to an actual incident provides several benefits:
-
First, it validates the plan itself, ensuring that it’s current, relevant, and accurate.
-
Next, it lets the team responsible for executing the incident plan practice.
-
Finally, it provides the opportunity to identify areas of improvement and adapt to an ever-changing threat environment. Each exercise yields opportunities for improvement, thereby improving the plan’s quality.
A tabletop exercise is a scheduled meeting with the security team where a scenario is presented. This scenario is prepared ahead of time. It should be realistic and should challenge the team to determine the best way to respond. As the team works through the scenario, someone should take notes because what’s documented may end up in the final incident response plan.
Lessons learned
One of the most critical phases of incident response is the after-action review. Once operations have been restored to their default state, a meeting should be set up with the team to review notes taken by the scribe. This is an excellent opportunity to review the incident and identify changes that can be made to improve the response plan if the incident were to occur again. Once updates to the plan have been made, we should add them to a centralized document repository that the entire team has access to and run through them again in a future tabletop exercise.
Get hands-on with 1400+ tech skills courses.