How To

Tabletop Exercises: Three Sample Scenarios

Six tips and three scenarios to get you started on a tabletop exercise

By Sarah D. Scalet

December 01, 2006CSOA tabletop exercise is a great way to get business continuity plans off the written page without the interruption of a full-scale drill. Rather than actually simulating a disaster, the crisis management group gathers for three hours to talk through a simulated disaster.

It can be a full-scale production that involves local first responders and professional moderators. Or it can be a simple affair conducted by in-house disaster planners. The idea is to have an escalating scenario that unfolds in several segments. After each segment, small working groups discuss how they would respond, then report back to each other before hearing from moderators about what happens next.

Tips for an Effective Tabletop

Decide how much gloom and doom you want. When planning a tabletop, Joe Flach, VP of Eagle RockAlliance, asks, "Do you want this to be a physical event with assets damaged and destroyed, or do you just want those things inaccessible? Do you want death and injuries, or just to test the ability to get work up and going someplace else?"

Test how quickly you can pull together key players. At public utility PSE&G, Director of Corporate Security Mike Paszynsky says the crisis management group doesn't always know when a tabletop will occur. Instead, the company tests how quickly it could reach all those individuals. Specialized software pings team members' phone numbers and communications devices, alerting them that the crisis management team is assembling.

Involve everyone. Make sure each person has a role. If one person answers all the questions, have others enact how they would respond if that person were unavailable.

Acknowledge that first-timers may be nervous. "Some business managers don't want to show that they may not know how to respond to a certain issue," says Rad Jones of Michigan State University. To make them more comfortable, consider an hour-long orientation. Later, work your way up to a three-hour exercise, and then invite local law enforcement and first responders to participate.

Encourage misinformation. During a crisis, Flach says, "you're always asked to make timely decisions based on incomplete and inaccurate information." You can simulate the confusion this causes by giving the groups handouts containing different information.

Take the lessons with you. A designated note-taker should keep track of what happens; always leave time for lessons learned.

Scenario 1 A disgruntled employee starts a data center fire

Segment 1: A small fire begins just outside the data center, setting off the alarm system. By the time the fire department arrives, the fire has been extinguished by the sprinkler system, but the building has been evacuated. Employees and people who work in nearby buildings want to know what has happened, as does the media. Then, as people begin to go back inside, the receptionist takes a call from someone who indicates that the fire is "only the beginning" because the company hasn't treated him right.

RESOURCE CENTER
Loading...
VIRTUAL CONFERENCE
Data Center Directions Virtual Conference

Data Center VCAttend this free, 100% online event exploring tools and techniques for making your data center deliver for today and tomorrow.

» Learn more and register here

WHITE PAPER
Maximizing Site Visitor Trust Using Extended Validation SSL

VeriSignNow with Extended Validation (EV) SSL available from VeriSign, you can show your customers that they can trust your site. Learn about EV SSL benefits in the free VeriSign white paper.

» Read the Paper

Featured Sponsors
Sponsored Links

Enabling Compliance with Converged Mainframe Security and Storage

Efficient - Flexible - Compliant

Understanding Data Location is Imperative for Data Loss Prevention

CA's IT Security centralizes your identity management to turn security into a proactive, business-building tool

Any company can promise identity protection. Only Debix can prove it

Envision Identity-Based Access Control for the Datacenter

Digital Identity Protection and Data Security Get Personal

Welcome to the age of Service-Oriented Security (SOS)

When Customer Relationship is Everything, Businesses Bank on SSL Solutions

Managing SSL Security in Multi-Server Environments

The Latest Advancements in SSL Technology

How to Offer the Strongest SSL Encryption

Forrester Total Economic Impact (TEI) report: Save Millions in Fraud Losses.

5 Steps to Secure Outsourced Application Development

Manage your IT more effectively

Simplify your data center with Juniper Networks. View the webcast

Taking the Botnet Threat Seriously

Secure your virtual and physical environments with the same software

How Are Open Source Development Communities Embracing Security Best Practices?

IDC Defines an Identity and Access Management Submarket

Using Likewise to Comply with PCI Data Security Standard

IDC Defines an Identity and Access Management Submarket for Managing Privileged User Accounts and Meeting GRC Requirements

Everything Today's CISO Needs to Know About Using SSO to Succeed in the Web 2.0 Era

The Case for Business Software Assurance ~ Securing Your Applications

Maximizing Site Visitor Trust Using Extended Validation SSL

Solving Online Credit Fraud Using Device Reputation

Get in Compliance With Government Data Regulations