Professional Documents
Culture Documents
CMA CCTE Checklist 1903
CMA CCTE Checklist 1903
This document contains a Cyber Tabletop Exercise Template created by the deeply
experienced cybersecurity experts at Cyber Management Alliance. It contains
valuable guidance on how to conduct a successful and meaningful Cyber Tabletop
Exercise in your organisation.
You could view this document as a step-by-step guide for hosting your own
Cyber Tabletop Exercise. If you need help in building a scenario for your Tabletop
Exercise, use our FREE Top 30 Cyber Tabletop Exercise Scenarios Document.
Good luck!
2
Determine the Type of Exercise
This is probably the most important first step. You need to decide the type of
exercise you want to conduct and the type of participants.
3
Determine the Type of Exercise (cont)
Please note: In our opinion all identified participants should stay for the
whole session even if they may play a small role in the tabletop session.
Onsite or Remote?
Based on our experience of conducting hundreds of tabletop sessions
we strongly recommend that you go all in on either onsite or all in on
remote sessions.
4
Let’s get down to the checklist!
Type, Participants & Location
● Ensure you have management sponsorship.
● If possible, get this in writing/communicated officially.
● Observers:
● E nsure you have at least one observer who knows the participants and
the organisational context.
● Ensure that they know their responsibilities.
● Ensure that they understand the technologies/systems/assets.
● Create an Observer’s Guide.
● Sign an additional Confidentiality agreement if necessary.
5
Scheduling & Documentation
● ork backwards: As part of your first few actions, send out at least two
W
preferred dates 6 – 8 weeks ahead of the date you start working with the
external consultancy.
● ive back time: Add at least a 30-minute buffer to the total time
G
(it’s always better to give time back than to overrun).
● ommunicate with the participants regularly to remind them of the
C
upcoming tabletop exercise.
● Documents to create + share:
● rovide them with the Terms of Reference at least 2 weeks before the
P
tabletop session.
● rovide them with a Participant’s Guide at least 2 weeks before the
P
exercise.
● S end everyone calendar invites with clear instructions on joining and
necessary information.
● S ettle and communicate the FINAL number of invited participants to
the group.
● After the exercise, finalise the names of and total number of NO-SHOWS.
6
Planning
● Agree on the critical asset(s) you are going to target in this exercise.
● Ideally don’t have more than 2 critical assets.
● Consult with your BIA document for confirmation.
● Consider a critical third party if necessary.
● F or the selected asset, ensure you understand the full impact on the
business (refer to BIA).
● Story + Details
● If conducting a CCTE for executives, be creative and create a backstory.
● For executives, think about adding threat actors.
● For technical audiences, focus on the deep + technical details.
● F or operational management, focus on the details and on business
continuity.
● reate simple-to-understand attack workflows to show at the end of
C
the tabletop session.
● Use existing geo-political news to build your story.
● Create injects that the audience may not expect.
● Review any past incidents/attacks to build your existing scenario.
● Ensure your slides aren’t too ‘busy’.
● Use images and only a few words where possible.
● If there is a BIG cyber-attack around the time of the exercise
– mention it during the introduction or towards the end.
Continued...
7
Planning (cont)
● Questions + Answers
● Focus on the questions you want the audience to answer.
● e clear with the participants on the type of answers you are
B
looking for:
● Detailed + typed.
● Discussion/focused answers.
● hen writing technical questions, ensure the questions are technology
W
specific (Example: A firewall related question should ideally be focused
on the vendor product you are using. This is not mandatory).
Dry Run
● Conduct at least 2 dry-run sessions with the observer(s).
● Review the questions in detail (get sample answers if possible).
● Be aware of how long the session will last.
● Try to map the questions to the participants.
8
After the Session
● t the end of the tabletop, thank all the participants for taking time off
A
and for their participation.
● Inform users about what happens next
● Report
● Recommendations
● Feedback
● Report:
● Ensure you receive all the notes from the observer(s)
● Collate all this information to create your summary report
● E nsure you highlight the noteworthy comments and responses and the
areas of improvement.
● learly describe the recommendations and ensure specificity
C
where possible.
● Debrief:
● If required, host a tabletop debrief session where you can typically be
more straightforward with session and attendee feedback.
● Keep the session short – maximum 30 minutes.
9
info@cm-alliance.com https://cm-alliance.com +44 203 189 1422 @cm_alliance