“It’s the processes and procedures, working with all the other customers. We have to get them to understand the importance of planning. One way is to do tabletop exercises as practice to see what we would do in the event of a disaster,” said Mark Gabehart (Round Rock ISD). As Mark’s voice filled the respectful silence as he spoke, his turn of phrase caught my ear. Whatever did he mean by “tabletop exercises?” In this blog entry, we’ll discuss the value of tabletop exercises for being prepared when disaster strikes in the areas of cyber security, disaster recovery, and business continuity. You will also find a complete game that you as a technology leader can use right away.
Developing the Tabletop Exercise
Upon looking up the phrase, I stumbled across this definition:
The tabletop exercise is a meeting to discuss a simulated emergency situation. Members of the campus review and discuss the actions they would take in a particular emergency, testing their emergency plan in an informal, low-stress environment.
Some suggestions for developing tabletop exercises include the following:
- Exercise(s) should engage participants.
- Participants with diverse backgrounds should be expected to work together to craft an organizational response to a hypothetical incident.
- Each scenario requires knowledge of, as well as presents the opportunity to enhance, actual cyber security, disaster recovery, and/or business continuity plans.
- The exercise makes manifest opportunities to hone team member strategies and skills to capably resolve real life problems.
Problem-based learning (PBL) often finds its home in emergency planning. In an actual disaster recovery situation, the natural process for school districts to follow involves dealing with the consequences, reflecting on what happened, determining how to best mitigate the consequences, and then working to ensure the incident does not reoccur. Depending on the severity of an emergency, putting the pieces of status quo back together again may be difficult. Doing so in the days and weeks after an event may prove impossible. How can schools and districts solve problems in advance?
Let’s take a closer look at the theoretical, research-based underpinnings of learning by experience.
Power of Experiential Learning
“Learning is the process whereby knowledge is created through the transformation of experience,” says David Kolb (as cited in source). This may actually resemble the diagram shown below:
While each disaster has its own mix of consequences unique to a situation, following an experiential learning approach (a.k.a. scenario-based learning, as my colleague Diana Benner (@diben) pointed out to me) to prepare can save the day. Let’s walk through what this process may look like.
The Game
When Round Rock ISD’s Chief Technology Officer suggested tabletop exercises, I imagined having access to a digital card deck of scenarios. Below, please find a link to my ongoing effort. It features twenty plus scenarios with more in the works. As you can see, it is modeled after a card game with a similar name. However, this version features embedded videos.
The Game will provide school district and other teams with a variety of scenarios from my own experiences, as well as YouTube news video clips of actual events. The scenarios address cyber security, cyber safety, disaster recovery, and business continuity. As such, they are a perfect tool for small and large district Chief Technology Officers (CTOs) seeking to mobilize their emergency response teams.
For the sake of organization, allow me to rely loosely on the aforementioned scenario-based learning model.
1. Scenario/Story Presentation
Cross-functional teams, including members of Business (Risk Management), Curriculum, Transportation, and other key areas, would be present.
2. Hands-On Lab
In the hands-on lab, each group would investigate and evaluate their respective plans to see if it deals well with the scenario. For example, while the technology department team might have strategies for encrypting data on hard drives, the business department might lack a policy for requiring encryption when exchanging data with third party vendors. This can be significant. Loss of a laptop with encrypted data falls under the Texas Safe Harbor laws. Decrypted data exposed while in the hands of a third party vendor (e.g. Texas Department of Agriculture, for example) does not.
Group members who detect an absence of a strategy (e.g. failure to protect data via encryption) must prepare action steps to formulating one they can bring for team discussion.
3. Team Discussion
After reviewing internal policies and identifying gaps and weaknesses, group participants work together to craft a comprehensive solution that makes one policy of multiple approaches to a problem. Individual teams will prepare their work and share it with the whole group for assessment with more probing analysis for alignment.
4. Homework/Decision-Making
In this final stage, all are committed to continuing to fine-tune existing disaster recovery and continuity plan to address unforeseen scenarios. This step involves presenting to the superintendent’s cabinet. Engage everyone responsible via professional learning.
Get Started Now
Players, get your teams together! It’s time to solve those tough problems. You won’t be wasting your time, not with over 1,200 cyber security incidents and countless data breaches affecting millions of people in 2017 alone.