Tabletop Exercise — March 2026¶
Document ID: IRP-EX-001 Exercise type: Tabletop (walkthrough simulation) Date: 21 March 2026, 09:00 — 09:45 CET (before Management Review) Facilitator: Sebastian Windeck (CTO) Participants: Jan Marc Castlunger (ISO), Sebastian Windeck (CTO), Malte Toetzke (Chief of AI)
1. Objective¶
Validate the Incident Response Plan (PROC-001) by walking through a simulated P1 security incident. This exercise:
- Tests the team's understanding of roles, escalation paths, and communication procedures
- Identifies gaps in the IRP before the ISO 27001 Stage 1 audit
- Satisfies ISO 27001 control A.5.24 (incident response planning) evidence requirements
- Upgrades the IRP from v0.9 (draft) to v1.0 (approved)
2. Scenario: Compromised API Key with Data Exfiltration Attempt¶
2.1 Background¶
09:15 CET, Wednesday: Azure Monitor triggers a high-severity alert. An API key belonging to Customer "Acme Corp" is generating 50x the normal request volume from an unrecognised IP address (originating from outside the EU). The requests are targeting the document verification endpoint with valid authentication but unusual patterns — bulk submissions of synthetic/test images at a rate of 200 requests per minute.
2.2 Injects (Revealed During Exercise)¶
| Time | Inject | Purpose |
|---|---|---|
| T+0 min | Alert received: "Acme Corp API key — anomalous traffic from 185.x.x.x (non-EU)" | Initial detection and classification |
| T+5 min | Acme Corp contacts support: "We haven't changed our integration — we think our key was leaked" | Customer communication; confirms compromise |
| T+10 min | Log analysis shows: 3,200 requests in 16 minutes; all returned 200 OK; no actual government ID images submitted (synthetic test data) | Impact assessment; data exposure evaluation |
| T+15 min | The IP address is traced to a known cloud hosting provider; no personal data was exposed but the compromised key could access real endpoints | Decision point: containment vs monitoring |
| T+20 min | Acme Corp asks: "Do we need to notify our regulator?" | GDPR considerations; customer guidance |
2.3 Discussion Questions¶
For each inject, the team should discuss:
- Who is notified? (per IRP escalation matrix)
- What severity classification? (P1/P2/P3/P4)
- What immediate actions are taken?
- Who communicates externally? (customer, regulators)
- What evidence is preserved?
- When is the incident resolved?
3. Expected Responses (Reference)¶
| Phase | Expected Action | IRP Reference |
|---|---|---|
| Detection | Azure Monitor alert triggers notification to ISO + CTO | IRP Step 1 |
| Classification | P2 (High) — compromised credential, no confirmed data breach | IRP Step 2 |
| Containment | Revoke compromised API key immediately; issue new key to Acme Corp | IRP Step 3 |
| Investigation | Review all requests from suspicious IP; confirm no real personal data submitted | IRP Step 3 |
| Communication | Notify Acme Corp of key revocation and new key issuance; update status page if service impact | IRP Step 4 |
| GDPR assessment | No personal data breach confirmed → 72h notification to BfDI NOT required; advise Acme Corp the same | IRP Step 4 |
| Recovery | Confirm new key active; block suspicious IP; review all other customer keys for similar patterns | IRP Step 5 |
| Post-incident | Conduct post-incident review within 5 business days; update risk register if needed | IRP Step 6 |
4. Evaluation Criteria¶
| # | Criteria | Pass/Fail |
|---|---|---|
| 1 | Team correctly classifies the incident severity | ☐ |
| 2 | Correct escalation path followed (ISO notified within 1 hour) | ☐ |
| 3 | Containment action identified (key revocation) within target time | ☐ |
| 4 | GDPR breach assessment performed (72h notification decision) | ☐ |
| 5 | Customer communication plan articulated | ☐ |
| 6 | Evidence preservation actions identified (logs, request data) | ☐ |
| 7 | Post-incident review scheduled | ☐ |
| 8 | All team members understand their roles | ☐ |
5. Exercise Record¶
5.1 Observations¶
| # | Observation | Severity | Action Required |
|---|---|---|---|
| 1 | |||
| 2 | |||
| 3 |
5.2 Lessons Learned¶
To be completed during exercise debrief.
5.3 IRP Updates Required¶
Document any changes needed to the IRP based on exercise findings.
6. Sign-Off¶
| Role | Name | Signature | Date |
|---|---|---|---|
| Facilitator | Sebastian Windeck (CTO) | ||
| ISO | Jan Marc Castlunger | ||
| Participant | Malte Toetzke |
Post-exercise: Update IRP from v0.9 to v1.0 and incorporate any findings.
Reference: Incident Response Plan (PROC-001)