The MiSecure team has developed this set of tabletop exercises for school districts to enhance their preparedness for cybersecurity events and incidents.
Each exercise has specific goals and outcomes. Exercises range in time commitment from 15 minutes to 3 hours and can be adapted for use in your district.
These exercises build upon the MiSecure Incident Response Planning templates.
Exercise Catalog
Emergent Incident with Widespread Impact
Purpose: Provide a cross sectional team with the opportunity to respond to an emerging cyber event through multiple exercise modules and injects. Can be run as an experiential exercise or with explicit references to your cybersecurity incident response plan (you can’t do it if it isn’t written in your plan).
Participants: Ideally cross sectional team from district including district leadership, tech team, and department leadership. Roles for individuals not present can be played by people who are present.
Prerequisites: No specific prerequisites although familiarity of the district’s cyber incident response will better prepare the team for the exercise.
Expected Outcomes: Clarification of roles required and a better understanding of the actions each role will be expected to take during a cyber incident; Practiced response leads to better coordinated response to an actual incident, Improvements to the cyber incident response plan.
Length: 2-3 hours
Scenario Theme: Full stack scenario including threat alerts from FBI/CISA,, malicious activity, compromised credentials, data theft, ransomware.
Incident Severity: Low through Critical
Facilitator: Experienced Facilitator
Notes: Pilot went well with tech teams from multiple districts in the room. Members played different roles including superintendent, athletic director and transportation director. Ideas that come up: role players made some assumptions about what their character would do – opportunity to clarify.
Executive Team Coordinated Responds to Cyber Incident
PDF | Google Slides Template | Facilitator’s Guide
Purpose: Provide a district’s executive team the opportunity to walk through a cyber incident as a team, testing their ability to evaluate business risk, coordinate response, and evaluate incident response plans.
Participants: District Executive Team
Prerequisites: No specific prerequisites although familiarity of the district’s cyber incident response will better prepare the team for the exercise.
Expected Outcomes: Better understanding of the executive team’s ability to respond to a cyber incident. Improve ability to coordinate a response to an actual incident. Improve the district’s cyber incident response plan.
Length: 1 hour, but could be extended to 1.5 based on discussion and availability of participants.
Scenario Theme: data theft and extortion
Incident Severity: High
Facilitator: Experienced Facilitator
Cyber Incident Response Plan Test
PDF or Financial PDF | Google Slides Template SIS or Financial Information System | Facilitator’s Guide
Purpose: Evaluate Cyber Incident Response Team’s ability to use existing cyber incident response plan to respond to a simulated incident.
Participants: Named individuals on district CSIRP and/or named alternates. (technical folks)
Prerequisites: District-approved or draft CSIRP. Participating individuals should be familiar with the plan and their roles in the plan.
Expected Outcomes: Test a district’s Cyber Incident Response Plan. Test the team’s ability to follow the plan. Identify opportunities for plan improvement. Serves as annual test of CSIRP
Length: 2-3 hours?
Scenario Themes: Data Theft or Discovery of digital intruder
Incident Severity: Medium to High
Facilitator: Experienced Facilitator
Notes: “You can’t do it if it isn’t in the plan”
Restore from Backups
PDF | Google Slides Template | Facilitator’s Guide
Purpose: Evaluate ability for tech team to restore from backups after a ransomware event.
Participants: District tech team
Prerequisites: Draft or better cyber security incident response plan and draft or better data/system restore playbook.
Expected Outcomes: Answer urgent management questions about backup processes, restoration capabilities, and timelines in a business-focused manner. Experience a scenario where restoration precedes intruder eviction. Detailed discussion of the district’s restoration process. Improve cyber security incident response plan and data/system restoration playbook.
Length: 2.5 hours
Library of 15 Minute Quick Tabletops
Purpose: Practice! Quick test sections of cyber incident response plan in small groups to build familiarity with the plan and kinds of incidents that could occur. Participants: Scenarios involve various teams and stakeholders.
Prerequisites: Ranges from none to tested plan.
Expected Outcomes: Drill for tech team on low to medium severity incidents. Familiarization to line of business on medium to high severity incidents. General Staff training/familiarization? These scenarios can serve purposes from drilling with the tech team to building familiarity to incidents with line of business staff and leadership.
Length: 15-30 minutes
Other Resources
CISA Tabletop Exercise Packages include multiple scenarios and details for complete functional exercises.