MISSION:  Each small group develops one IT incident response scenario to be exchanged with another group during breakout session. Unified Command will be simulated in the main session by Blackrock 3 staff.

RESPONSIBILITIES:

Incident Leader: Drive the discussion and delegate tasks.

Person responsible for Tactical Documentation: Capture key events and decisions as the discussion unfolds. Their documentation should be compiled using the Tactical Documentation spreadsheet linked below so that it can be archived and easily shared.

Person responsible for Communications: Provide briefings as directed. May use the shared Tactical Documentation file document to develop their briefing, or they may use their own notes. The briefing should be written electronically and saved on their local desktop so that they can access it when leaving to deliver a briefing to Unified Command or another group.

INSTRUCTIONS:

Part 1: Scenario Creation
The group must come up with a past, present or potential IT incident response scenario, including enough specific and accurate detail to convey the signs and symptoms of the current conditions. The group does not provide resolution actions or needs in this document.

An example of a scenario would be:

Customer Service Representatives (CSRs) are unable to log into the billing application to processor customer payments. This issue is only impacting new users trying to sign in; users already logged into the application are not impacted. The issue is impacting approximately 300 CSRs in the Northeast Division for our biggest customer. The incident was discovered at 09:00 CST. Initially, this was thought to be an issue on the client side as some IP changes occurred around the same time the issue started. However, after the change was reverted the issue persisted. All other desktop applications are functioning normally. Currently, the only impact is to the billing application.

Part 2: Briefing Delivery
Once the scenario is drafted, the person handling Communications will return to the main session, where they will be assigned to an alternate breakout room to deliver a briefing.

Each group is then briefed, and any qualifying questions about the scenario are answered, by the person that has joined their group. Once that task is complete, the person delivering the briefing returns to the main room and is returned back to their original group by the instructor.

Part 3: Resolution Planning
The Incident Leader then drives a discussion about resolving the scenario. The group must develop a primary resolution plan and a contingency resolution plan (Plan B). The person responsible for Tactical Documentation should capture key events and decisions using the same methods as earlier in the exercise. The person responsible for Communications should be preparing to deliver a briefing to UC or upon return to the main group.

Deliverables:

● Identify SEV or P level for the incident.
● Create a list of SMEs, vendors, Executives, etc. that would be dispatched to the incident.
● Draw an org chart depicting all the incident responders identified above.
● Draft an overall Mission Objective for the response.
● Draft a CAN report for the primary resolution plan and Plan B.
● Identify any unique aspects or challenges of the response that may pose a challenge to the resolution effort.
● List the cadence and potential audiences for any communications briefings that need to occur outside the resolution effort.
● The person responsible for Communications delivers the scenario briefing back to the entire group in the main session at the conclusion of the exercise.
● The person responsible for Communications drafts a briefing representative of the beginning, middle or end stage of the incident.