Skip to main content
Promotion: Promotional Banner Image

CUNA is now America’s Credit Unions.
A stronger voice to advance the credit union industry.

Learn More

What Is Tabletop Testing?

By TraceSecurity

April 2023

You can’t always know what’s going to happen to your organization, but you have policies and procedures in place to handle the unknown: business continuity plans (BCP), disaster recovery plans (DRP) and/or incident response plans (IRP). Having these plans in place is a great first step, but do you know if your plans will actually work in practice? This is where tabletop testing comes in.

What Is Tabletop Testing?

Tabletop testing is a coordinated response exercise to disastrous scenarios that could happen to your organization. You’ll gather together the key personnel included in the response plan and walk through scenarios to see if your written plan actually makes sense in response to various disasters.

These test scenarios typically fall into one of two categories:

  1. Natural Disasters – flood, wildfire, tornado, earthquake, pandemic
  2. Internal Incidents – ransomware, phishing hack, rogue employee, building fire

TraceSecurity recommends tabletop testing to be done based on two scenarios, one from each category, to get a good view into the types of disasters you may need to respond to.

Once you determine the scenarios you want to test your plan against, the key personnel will sit down and talk through the response and recovery actions documented in your plan. As you talk through your documented plan, you’ll be able to see where any gaps are and what may need to change for a more effective response.

Your Policies and Procedures

When it comes to tabletop testing, there are three common types. Your organization may have all three of these policies or could have them combined into a single response plan. As you read what each policy is meant for, it’s easy to see the necessary overlap:

  • Business Continuity Plan (BCP)

A business continuity plan involves your business running normally in the event of a problem or disaster. This is to ensure that your company continues operations for members and employees in the event that something goes wrong. Pausing business even for a moment can cause loss of trust among your members, so it’s a good idea to have a plan to function through disaster scenarios.

  • Disaster Recovery Plan (DRP)

A disaster recovery plan typically involves the recovery from a natural or man-made disaster. Disaster can strike in many forms, including fires, earthquakes, flooding and more. These plans are important to have, considering any one of these could easily cause business disruptions. This can include having a secondary location for continued business operations, backups of information and databases, and more.

  • Incident Response Plan (IRP)

The incident response plan revolves around cybersecurity incidents. These sorts of incidents include things like hacks made against your systems through things like brute force or phishing. Cybersecurity incidents can come from a variety of sources, and this plan aims to mitigate any harm caused. Cybersecurity awareness and training are big parts of these plans, which can prevent these attacks before they even start.

Annual Testing

Each year you go through personnel changes, restructuring, acquisitions and any number of business moves that will affect who and how your recovery plans are carried out. With annual tabletop tests, your organization will be able to make necessary updates and put its best foot forward in the event of a disaster.

It’s considered best practice to perform tabletop testing at least annually, and it’s now a specific compliance requirement for credit unions under the 2023 ISE Program. No matter the asset size, all credit unions are required to perform annual tabletop testing. You can read more about the NCUA ISE requirements in our article, NCUA ISE Requirements.

Tabletop testing services from TraceSecurity include two scenarios (of your choosing) by default. During our service, one of our information security analysts will facilitate your team’s tabletop exercises, making notes of any observed gaps or recommended updates. As a third-party observer, they will likely notice things that your team may overlook or not think about.

To learn more about tabletop testing for all response plan types, connect with TraceSecurity.

About TraceSecurity

TraceSecurity has provided over 30,000 examiner approved reports, helping credit unions of all sizes maintain compliance year after year. A CUNA Strategic Services provider since 2006, TraceSecurity helps credit unions with a range of cybersecurity services, including risk assessments, penetration testing and IT audits. With a combination of software and services, TraceSecurity can help credit unions manage their information security program and supplement it with third-party validation.