docx

Data Loss Tabletop Template.docx
Data Loss Tabletop Template

Template for conducting a tabletop exercise focused on a data loss scenario.

This page contains AI generated content. Errors or omissions may be present. Use human level critical thinking.
  • Q: What specific decision point distinguishes the 'Containment' phase in a data loss scenario?
    A: The decision to disconnect affected systems from the internet to stop exfiltration versus keeping them online to monitor the attacker's activity.
  • Q: How does the template suggest assessing 'Legal' involvement?
    A: By determining at what specific threshold (e.g., number of records, type of data) legal counsel must be engaged to direct the investigation.
  • Q: What is the critical 'Evidence Preservation' step mentioned?
    A: Ensuring that volatile data (RAM) is captured before systems are powered down, which is often missed in panic responses.
  • Q: How does the scenario address 'Internal Communication'?
    A: It tests whether there is a secure, out-of-band communication channel (e.g., Signal, non-corporate email) if the primary email system is compromised.
  • Q: What is the 'HR' role in a data loss incident involving an insider?
    A: Managing the suspect employee (suspension, interview) without alerting them to the investigation prematurely.
  • Q: How does the template measure 'Readiness'?
    A: By evaluating if the team had access to the necessary tools (forensic software, log aggregators) and permissions during the exercise.
  • Q: What is the strategic implication of 'Public Disclosure' in this scenario?
    A: Balancing the need for transparency with the risk of tipping off the attacker or causing undue panic among customers.
  • Q: What specific 'Gap Analysis' outcome is expected?
    A: Identifying specific logs or data sources that were needed for investigation but were unavailable or insufficient.
  • Q: How does the template suggest handling 'Remote Employees'?
    A: Testing the capability to isolate or wipe devices that are not physically on the corporate network.
  • Q: What is the 'Recovery' objective in a data loss scenario?
    A: Not just restoring systems, but validating that the exfiltrated data has been identified and the vulnerability closed.

Ask a question

Have a doubt or need clarification?



I’m here to help. Share your question, and I’ll get back to you with the guidance you need regarding the course.

Thank you!

I have received your message and I shall get back to you shortly.