Tabletop Exercises – CompTIA Security+ SY0-401: 2.8

Instead of performing a full-blow disaster drill, you can validate your plans using a tabletop exercise. In this video, you’ll learn about tabletop exercises and some techniques for running tabletop exercises in your own organization.

<< Previous Video: Succession PlanningNext: Redundancy, Fault Tolerance, and High Availability >>

If you really want to see how well your disaster recovery plan is, you would run a test. You would simulate a disaster and then recover from that simulated disaster, and see how you did. But of course, this means that a lot of resources might be involved, and perhaps even a lot of people. And it’s certainly going to take time. And certainly that involves money as well to be able to run this simulated test.

Instead, you could do something like run a tabletop exercise. You can determine where your shortcomings might be by simply sitting down and analyzing what you might have done should a real disaster have occurred. This prevents you from having to go through the physical steps of a disaster or physical steps of a drill, but you’re still thinking through the process and determining if you have the right plan in place to recover from a disaster.

You want to get everybody together, all the key players, and be able to run through this simulation. This will be everyone around a table at the same time or on the phone discussing what has happened with the disaster and what the next steps might be. And everybody walks through exactly the way it should go based on the plans that you’ve previously made.

Before you begin doing a tabletop exercise, you need to determine how complex this is going to be. Do we contact the local fire and police departments, or is this something that we’re just going to talk about internally within our own organization? Now we determine the scope of this particular disaster. Is it something like a simple water main break that we have to recover from? Or was this a very bad disaster that involves deaths and injuries? And how do we adjust to have those particular problems occur?

Now we need to determine what the scope of the disaster might be. Do we want to have a simple water main break or should this be a hurricane or some type of natural disaster where there’s going to be injuries involved? This is going to make a big determination of how far we go through the steps of our disaster recovery process. We want to involve as many people as possible. But you may even want to bring them into the room as a surprise, sit them down, and say, a disaster has occurred. Now what do we do? If you really want to test your disaster recovery skills, this may be the type of disaster that doesn’t really give you a warning.

You should also not assume that every piece of information is going to be available. When disasters occur, there are gaps in communication, and it’s difficult to know exactly what might be going on. But people still need to be able to make decisions on how to recover from that. So this tabletop exercise should not be a perfect scenario. But you should run through something realistic enough that later on, you can look back at how you did and determine where you need to make changes with your disaster recovery plans.