1. Gaming the System: A Business Continuity Tabletop Exercise Simulation
Christine Brisson, Ph.D.
School of Arts & Sciences
University of Pennsylvania
Educause Security Conference
May 16, 2012
Copyright Christine Brisson, 2012.This work is the intellectual property of the author. Permission is granted for this material to be shared for non-commercial, educational purposes, provided that this copyright statement appears on the reproduced materials and notice is given that the copying is by permission of the author. To disseminate otherwise or to republish requires written permission from the author.

2. Business Continuity Planning
Planning for extended loss of services or resources that the university depends on (also called “Mission Continuity Planning”)
Related to DR planning but not the same:
DR: What is the procedure to restore services if our server dies?
BC: How can we plan to function at the university if we lose services for several days or longer? What actions can we take now to help ensure continuity?
Cautionary tale: eg Hurricane Katrina. But smaller wins along the way: planning for personnel outages and then someone is out for an extended period.
We have a lot to get through, so I’ll be brief. You’ve probably been asked to make a BC (or MC, as we call it at Penn) plan, at least for your own department (IT, privacy, whatever). You want to make sure that your plan isn’t just a wasted exercise in paperwork – that the plan really would be useful if you ever needed it. One of the best ways to test the plan is with a tabletop exercise, but a tabletop exercise can be very hard to execute.
Difference between business continuity and disaster recovery.
Q: if you make the plan, and you make it for yourself, who will you test it on? And/or who will make up the test for you?

3. Business Continuity Planning at the School of Arts & Sciences
Enrollment: 6500 Undergrad, 1500 Grad
40 Academic departments in 23 buildings
A centralized BC planning team that works with individual departments to develop in-depth analysis of needs and detailed BC plans
Tackled toughest first: science departments in buildings with complex infrastructure needs
“BETH 3”: Buildings, Equipment, Technology, Human Resources, 3rd Party providers.
Once we’d put together a plan: now what? How do we know if it would be useful?
It was immediately clear to us that top-down planning would not be sufficient. There’s no way to capture all of the things that are essential to a biology department, the chemistry department, a history department, and English apartment, etc. by making a Soviet style centralized plan.

4. Tabletop Exercise: who attends?
People with a role in the plan (typically a Department administrator, a building administrator, IT support, other facilities staff, at least one faculty member, sometimes the chair.)
Other stakeholders (eg faculty)
One or two facilitators, and one or two note takers
In our case here at Educause, we will have more “actors” to give a chance for more people to participate

5. About the Chemistry Department
40 faculty, most of whom have large labs of between six and 12 grad students and postdocs
Four buildings, attached, over 250,000 square feet
Plan has several parts: Building Outage, Technology Outage, Equipment Outage, and NMR Facility Outage
Central Facilities provides most services
“Incident Response Team”
Spruce St. Labs
10th Ave.
Cohen Labs
Franklin

6. What, why, and how
A tabletop exercise (aka TTX) is a simulation of an adverse situation in an informal environment.
There are two primary benefits to doing a tabletop:
It gives people the chance to practice using the plan to respond to an emergency.
It’s one of the best ways to evaluate the plan: what works, what doesn’t, and what can be changed and improved.
Note this is my first slide that would be part of an actual tabletop exercise. So talk about how this is a simulation of a simulation, and how we will be jumping in and out of the exercise to talk about the exercise (which we don’t normally do).

7. What, why, and how, cont’d. We are particularly interested in:
whether the channels of communication are working as they should,
whether there is the right amount of specificity in the plan (should it be more specific or more general?), and
whether anything important has been left out.

8. What, why, and how cont’d: How will this work?
We will set the scene, and hand out cards with “triggers” on them.
Sometimes one or more individuals will be asked to step outside of the room to decide/consult on what to do.
Information you can get in a crisis is not always as complete as you might like.
Use the laptop if you decide to send to the whole group.
Ground rules are on the table.
The last 20 minutes (or so) are for debriefing
At the end, jump back out again and make sure everyone understands what they’re going to do.

9. Wednesday, May 4 2nd day of final exams
It has been warm and very rainy for the last few days.

10. Wednesday, May 4, 3:00 am

11. Wednesday, May 4, 5:30 am

12. Wednesday, May 4, 10:00 am

13. Wednesday, May 4, 1:00 pm

14. Wednesday, May 4, 3:00 pm

15. Wednesday, May 4, 3:00 pm

16. Wednesday, May 4, 8:00 pm

17. Thursday, May 5, 11:00 am

18. Thursday, May 5, 3:00 pm

19. Thursday, May 5, 6:00 pm

20. Friday, May 6, 10:00 am

21. Friday, May 6, 11:00 am

22. Friday, May 6, 2:00 pm

23. Saturday, May 7, 3:00 pm

24. Monday, May 9, 11:00 am

25. Tuesday, May 10, 11:00 pm

26. Wednesday, May 11? Some other date?

27. Discussion Questions? Comments?
Differences between our “simulation of a simulation” and the way we do a TTX at Penn
Maybe questions first, don’t want to damp down their enthusiasm by speechifying at them right away.

28. Final Points
People who need to use the plan can give feedback about how to improve it
Using a plan in a TTX helps people see how the plan could be useful to them (not just paperwork)
Planning:
Allocate several weeks
Enlist ‘informants’
Make it believable
Buy them lunch!