TechTarget.com/searchdisasterrecovery

https://www.techtarget.com/searchdisasterrecovery/definition/tabletop-exercise-TTX

What is a tabletop exercise (TTX)?

By Paul Kirvan

A tabletop exercise (TTX) is a disaster preparedness activity that takes participants through a simulated disaster scenario. The abbreviation "TTX" comes from the federal government and is typically used in public sector activities.

A tabletop exercise is generally discussion-based, using an outline as a formal structure to guide participants through each stage. The exercise not only helps participants familiarize themselves with the emergency response process, but also enables administrators to gauge the effectiveness of the organization's disaster recovery (DR), business continuity (BC), incident response and emergency management practices.

Typically, a facilitator guides participants through the exercise, taking them through a particular narrative and discussing what steps should be taken. Potential scenarios for tabletop exercises include natural disasters and pandemic responses, but these might differ depending on the organization's location and the industry's nature. Participants can typically complete tabletop exercises over the course of a few hours.

During an exercise, the facilitator may introduce what are called "injects" to challenge the participants. A typical inject can take the exercise off what appears to be its logical course, forcing the participants to adapt their thinking and responses to the new information. This is meant to mirror what can happen in a real-world event, which may or may not unfold in the ways emergency teams have been trained.

What's the purpose of tabletop exercises?

The purpose of a tabletop exercise is to evaluate an organization's preparedness for a particular disaster scenario and to inform required participants of their roles in the response. Whether it is destruction to facilities, loss of personnel or data loss from a cyberattack, a tabletop exercise goes through every aspect of a response from initial awareness of an event to where recovery efforts can be launched.

While they may use an accelerated timeline to optimize the participants' time, tabletop exercises, as designed, cover every aspect of the hypothetical scenario, from beginning to post-disaster efforts, which include preparing an after-action report (AAR). They evaluate internal resources, lay out any external agencies the organization might call upon for assistance and identify which means of communication will be available at the time.

Tabletop exercises can also examine the competence of emergency team members. During an exercise, it becomes evident that some participants are better suited to leadership roles, whereas others may be better suited to supporting roles. The need for additional training, e.g., fundamental emergency response or specialized responses, such as for hazardous materials (hazmat), can also be identified during an exercise.

Since the exercise is typically held in comfortable surroundings, such as a conference room or a virtual conference, it may be challenging to determine how each team member will react during an actual disaster event. Even though well-planned tabletop exercises can validate many important response procedures and logistical concerns, any real-world response can only be found in a live event.

The outcome of a tabletop exercise can inform future DR planning and determine new guidelines the organization might need to implement. An exercise might also identify gaps in personnel knowledge or IT security flaws. Key personnel present during the exercise can become more comfortable with their roles in disaster scenarios and witness how the entire response will play out across the organization.

Following the exercise, participants and facilitators should compile an after-action report, detailing any key findings or questions highlighted during the exercise.

Benefits and challenges of tabletop exercises

Performing exercises is one of the most critical aspects of DR, BC, incident response and emergency management activities. Exercises of any kind, whether tabletop or a full-scale system outage, are essential tools that prepare participants for an actual disaster. The following are some key benefits:

• Identifying flaws or weaknesses in a disaster preparedness plan, structure and procedures.
• Recognition of how well emergency teams know their roles and responsibilities.
• The opportunity for participants to ask questions they might not otherwise think to ask, especially in a live event.
• Increases confidence of senior leadership that the team is prepared to handle an emergency.
• Identify the interactions of internal departments and/or external entities, such as first responders, vendors and suppliers, utility companies, and state and federal government agencies like FEMA.
• Identify gaps in needed resources, locations where teams can be staged and deployed and other logistical concerns.
• Discovering individuals who may need more training to increase their competence.
• Recognizing individuals who should be in leadership roles and who should be in supporting roles.
• Demonstrating an organization's compliance with standards and other guidance that address testing and exercising.
• Tabletop exercises are convenient and can save time and money, provided their role in emergency preparedness is understood and agreed upon in advance.

Preparedness exercises are an important commitment that comes with inherent challenges:

• The cost and time needed to prepare for and execute a tabletop exercise must be carefully evaluated.
• Selection of the proper facilitators and participants can be an issue, owing to their availability, experience and prior job commitments.
• Lack of senior management support for regular exercising can result in an organization that is unprepared to address disruptive events
• A tabletop exercise cannot replicate every aspect of a hypothetical disaster scenario.
• These exercises provide a limited amount of emergency response data, and actions in the future post-exercise must consider this data.
• Tabletop exercises are no substitute for more rigorous exercises where systems are shut down and power is turned off to see how emergency teams respond; however, such exercises can be difficult to orchestrate, and there may be concerns about disrupting production systems.

For example, an organization might prepare for losing access to its primary data center. Still, that scenario might not foresee a simultaneous loss of access to a cloud or off-site data center. While this is improbable, it is not impossible. In the interest of saving time or prioritizing more common disasters, organizations might overlook scenarios that seem unlikely. That oversight could leave them unprepared.

Common disaster scenarios include the following:

• Earthquake
• Hurricane
• Severe weather with high winds
• Lightning strikes
• Flood
• Mudslide
• Sinkhole
• Tornado
• Loss of power
• Fire
• Wildfire
• Pandemic or epidemic
• Cyberattack
• Electromagnetic pulse
• Severe solar prominences
• Office/building emergency
• Human-triggered event

The type of emergency will determine the scope of the response, required personnel and inform the participants of their priorities and available resources. For example, if it is a cyberattack, the data protection team will have different action items than they would in the event of a natural disaster.

Standards and good practices for exercising

Before embarking on a tabletop exercise, it can help to review guidance documents addressing the challenges of testing and exercising. The following is a partial list of relevant standards and guidance for running tabletop and other exercises:

• ISO 22398:2013 -- Societal security -- Guidelines for exercises.
• NIST SP 800-84:2006 -- Guide to Test, Training and Exercise Programs for IT Plans and Capabilities.
• Federal Financial Institutions Examination Council's (FFIEC) Business Continuity Management.
• Homeland Security Exercise and Evaluation Program (HSEEP).
• National Incident Management System (NIMS) Fact Sheet for Private Sector Organizations.
• Business Continuity Institute's (BCI) Good Practice Guidelines.

Tabletop exercise template

While the standards and guidance listed above provide important structural and content information for exercises, we have developed a template to simplify the process of setting up a tabletop exercise.

Click on the above image
to download our free
tabletop exercise template.

Additionally, an after-action report template has been developed to simplify that activity.

The following section of these templates provides simple steps for planning and executing a tabletop exercise.

Preparing for and executing a tabletop exercise

The following are steps to take when pursuing a tabletop exercise.

1. Determine what needs to be exercised, e.g., a disaster recovery or incident response plan.
2. Determine who will lead the planning process.
3. Determine who will be the facilitator and participants.
4. Secure senior management approval for the exercise.
5. Select a location for the exercise, e.g., a conference room or perhaps a virtual exercise using a conference tool like Teams or Zoom.
6. Select a scenario for the exercise, including the exercise flow and potential injects to challenge the participants.
7. Schedule the exercise, allowing sufficient time to address all aspects of the exercise.
8. Prepare the exercise content, e.g., a slide presentation, and perhaps video content; ensure plenty of opportunities for participants to discuss the situation as it progresses.
9. Ensure that any audio/visual equipment is reserved.
10. When launching the exercise, introduce the facilitator and participants.
11. Move through each step of the exercise, ensuring opportunities for discussion.
12. Take a break, if needed.
13. Upon completing the exercise, ask for participant feedback.
14. Soon after the exercise, prepare an after-action report.
15. Schedule a briefing to review the after-action report.
16. Prepare a report to senior management on the exercise.

Example of a recent tabletop exercise

A government agency in the Washington, DC area recently conducted a tabletop exercise of its incident response capabilities. The exercise used a scenario in which a cyberattack occurred in the agency's network infrastructure, resulting in a denial-of-service attack that disabled many of the agency's critical systems. Additionally, a ransomware attack locked out critical data that the agency needed to support its customers,

Participants walked through each step of the incident, discussing how their existing incident response plan and IT organization would be engaged in the response. Several injects were added to complicate the scenario further.

As noted in the AAR, incident team members responded well to the situation, but needed to identify alternate means of communicating with IT and other departments, working on the assumption that the network infrastructure was hampered. The team agreed that updates to their incident response plan's structure and contact listing were warranted.

Tabletop exercise vs. other exercises

A tabletop exercise is one of seven types identified by the HSEEP for disaster preparation. These exercise types fall into two categories: discussion-based or operations-based.

Download our free after-action
report template for future exercises.

Discussion-based

• Tabletop exercises
• Seminars and workshops are used to inform.
• Games, which are more informal than a tabletop exercise and do not replicate scenarios as closely.

Operations-based

• A drill is performed when one specific function or process can be tested, possibly in real time.
• A functional exercise goes further, with multiple participants performing duties in a simulated environment. It coordinates communications between the organization and any agencies it might need to rely on in a disaster scenario.
• A full-scale exercise imitates the response as closely to the real situation as possible, engaging with emergency services and possibly even local businesses. Full-scale exercises entail responding in real time and on location.

How strong are your enterprise security defenses? From tabletop games to live-fire exercises, see how these tests work -- and why the differences matter.