DATA SHEET

Incident Management Tabletop Exercise

Purpose of Performing a Tabletop Exercise
A tabletop exercise gives your team a chance to simulate a real incident to determine the team’s readiness or any potential gaps.
These exercises are used to validate or improve an existing Incident Management Plan and ensure that everyone on your team
knows their roles and understands their responsibilities in the event of an incident. By doing a hands-on experience, your team will
be aligned on the process, know how to handle mitigation efforts, and be able to respond to incidents in a timely manner.

If your team does not have an existing Incident Management Plan,

Download Now
learn how to create one with our Incident Management Playbook

How to Run a Tabletop Exercise

Tabletop exercises are meant to prepare organizations for different risk scenarios and threats. This document contains three
fictitious scenarios that are intended to facilitate a conversation with your team on all possible forms of investigation, remediation,
and notification.

The team should prepare for the tabletop exercise by reviewing your Incident Management Playbook and becoming well-versed
with any internal policies around incidents and breaches. All team members should be clear on what role they play on the Incident
Response Team and the role their department can play in the event of an incident.

When running the exercise, one person should facilitate the exercise. This person should read the scenario aloud to the group
and ensure their understanding. At different time markers, the facilitator will provide additional information during the exercise to
simulate the real-time nature of uncovering new information during the course of an incident. The facilitator should also document
the discussions your team is having - the processes followed, the mitigation efforts tested, and the questions asked.

The Incident Response Team should have a conversation about how your organization would handle the scenario and focus on key
outcomes and teams involved. Teams should pose thought-provoking questions to stimulate debate amongst the team members.
Some example questions can be:

• What roles will other departments or authorities who are not in the room play, such as legal, finance, law enforcement, etc.?

• What resources are available to our team to investigate or remediate this type of incident?

• What third party assessments or vendors would you include to investigate the incident or mitigate the risk associated with this?

• At what point do you determine an incident is a breach?

• What are our organization’s internal policies?

• What ethical considerations need to be made? Is there an ethical reason to notify customers when there isn’t an explicit
regulatory requirement?

After reviewing each scenario, there should be a post-incident discussion. Teams should consider what could have gone better and
where there were areas of friction. The Incident Response Team should document any outstanding questions, team members who
should be included on future incidents, and any amendments that need to be made to the Incident Management Playbook.
Scenario 1: Joe needs help formatting a customer rundown for his boss Charles. He asks his wife Pam for assistance. Since her
email address is part of a different organization, he must share the document publicly over the internet in order to receive her edits.

In doing so, Jim made his customer list and their data available for the public and thus unknown third parties received access. Your
team discovers this incident approximately 9 months later.

5 minutes in: While investigating, we discover Joe’s sales territory include the states of California and Virginia.

15 minutes in: Between the time Joe made the report and the incident had occurred, several prospective customers had
unsubscribed from all communications and were no longer potential sales leads.

Scenario 2: Daryl has been in conversation with his manager Caroline for a week over a big client meeting they have at the end of
the month. As he is responding to the email chain, he notices that there are two email address for Caroline in the thread.

On closer inspection, he realizes that Caroline.smith@zentoso.com, the correct email address, and Caroline.smith@zenoso.com are
the respective email addresses.

5 minutes in: The IT department informed Daryl that during the correspondence, the phisher sent Daryl a link to a file in
“Sharepointe” in order to review the approved customer pricing, which Daryl clicked on assuming it was the Zentoso “Sharepoint” site.

15 minutes in: Daryl was working this deal as a collaboration with the company’s Brazil office. The phisher was able to gain access to
sensitive client payment information located in Brazil through the “Sharepointe” site.

Scenario 3: Andrea is going on vacation for 2 weeks. A day before her trip, she is tasked with evaluating a potential vendor for
company use. Due to a desire to go on vacation, she rushes through the vendor assessment and approves the vendor for use.

A few days later, Kevin receives an email from the vendor in question that their systems were breached and there was a potential
leak of customer information from your company. Kevin tries to reach Andrea, but her phone goes straight to voicemail and her
‘OOO’ states she does not have access to email.

5 minutes in: During the investigation, it is determined that some of the customer information that was leaked is in Europe,
specifically for French, Spanish and Italian customers.

15 minutes in: Two employees who used this vendor’s software tell IT that they use the same password for the company CRM
software, and there is reason to believe the hackers have access to their user credentials.

How OneTrust helps with Incident Management

OneTrust Incident Management centrally manages incidents, automates tasks, and keeps records for compliance and notification,
helping organizations comply with global laws. OneTrust DataGuidance, an in-depth portal of the latest changes and updates to
hundreds of privacy and security laws and frameworks, is integrated directly into the OneTrust platform, enabling teams to build
context-aware automated workflow to react to incidents based on the regulations for each jurisdiction. Bridge the gap between
privacy and security by automating incident notification and storing the audit trails needed for compliance. OneTrust also mitigates
future risk and improves workflows by initiating a root-cause analysis to identify outstanding system and application-level threats and
find opportunities to refine the notification process.

VIEW AN ONLINE DEMO AND GET A FREE TRIAL AT ONETRUST.COM

ATLANTA | LONDON | BANGALORE | MELBOURNE | SEATTLE | SAN FRANCISCO

NEW YORK | SÃO PAULO | MUNICH | PARIS | HONG KONG | BANGKOK
OneTrust is the #1 fastest growing and most widely used technology to help organizations build
more trusted privacy, security, and governance programs. More than 7,500 customers use OneTrust
to comply with the with the CCPA, GDPR, LGPD, and more. The OneTrust platform is powered by
the OneTrust Athena™ AI, and our offerings include OneTrust Privacy, OneTrust PreferenceChoice™,
OneTrust Vendorpedia™, OneTrust GRC, OneTrust Ethics, OneTrust DataGuidance™, OneTrust
DataDiscovery™, and OneTrust DataGovernance™. Learn more: OneTrust.com and LinkedIn.
Copyright © 2021 OneTrust LLC. All rights reserved. Proprietary & Confidential.