Professional Documents
Culture Documents
The team should prepare for the tabletop exercise by reviewing your Incident Management Playbook and becoming well-versed
with any internal policies around incidents and breaches. All team members should be clear on what role they play on the Incident
Response Team and the role their department can play in the event of an incident.
When running the exercise, one person should facilitate the exercise. This person should read the scenario aloud to the group
and ensure their understanding. At different time markers, the facilitator will provide additional information during the exercise to
simulate the real-time nature of uncovering new information during the course of an incident. The facilitator should also document
the discussions your team is having - the processes followed, the mitigation efforts tested, and the questions asked.
The Incident Response Team should have a conversation about how your organization would handle the scenario and focus on key
outcomes and teams involved. Teams should pose thought-provoking questions to stimulate debate amongst the team members.
Some example questions can be:
• What roles will other departments or authorities who are not in the room play, such as legal, finance, law enforcement, etc.?
• What resources are available to our team to investigate or remediate this type of incident?
• What third party assessments or vendors would you include to investigate the incident or mitigate the risk associated with this?
• What ethical considerations need to be made? Is there an ethical reason to notify customers when there isn’t an explicit
regulatory requirement?
After reviewing each scenario, there should be a post-incident discussion. Teams should consider what could have gone better and
where there were areas of friction. The Incident Response Team should document any outstanding questions, team members who
should be included on future incidents, and any amendments that need to be made to the Incident Management Playbook.
Scenario 1: Joe needs help formatting a customer rundown for his boss Charles. He asks his wife Pam for assistance. Since her
email address is part of a different organization, he must share the document publicly over the internet in order to receive her edits.
In doing so, Jim made his customer list and their data available for the public and thus unknown third parties received access. Your
team discovers this incident approximately 9 months later.
5 minutes in: While investigating, we discover Joe’s sales territory include the states of California and Virginia.
15 minutes in: Between the time Joe made the report and the incident had occurred, several prospective customers had
unsubscribed from all communications and were no longer potential sales leads.
Scenario 2: Daryl has been in conversation with his manager Caroline for a week over a big client meeting they have at the end of
the month. As he is responding to the email chain, he notices that there are two email address for Caroline in the thread.
On closer inspection, he realizes that Caroline.smith@zentoso.com, the correct email address, and Caroline.smith@zenoso.com are
the respective email addresses.
5 minutes in: The IT department informed Daryl that during the correspondence, the phisher sent Daryl a link to a file in
“Sharepointe” in order to review the approved customer pricing, which Daryl clicked on assuming it was the Zentoso “Sharepoint” site.
15 minutes in: Daryl was working this deal as a collaboration with the company’s Brazil office. The phisher was able to gain access to
sensitive client payment information located in Brazil through the “Sharepointe” site.
Scenario 3: Andrea is going on vacation for 2 weeks. A day before her trip, she is tasked with evaluating a potential vendor for
company use. Due to a desire to go on vacation, she rushes through the vendor assessment and approves the vendor for use.
A few days later, Kevin receives an email from the vendor in question that their systems were breached and there was a potential
leak of customer information from your company. Kevin tries to reach Andrea, but her phone goes straight to voicemail and her
‘OOO’ states she does not have access to email.
5 minutes in: During the investigation, it is determined that some of the customer information that was leaked is in Europe,
specifically for French, Spanish and Italian customers.
15 minutes in: Two employees who used this vendor’s software tell IT that they use the same password for the company CRM
software, and there is reason to believe the hackers have access to their user credentials.