Tabletop Exercises

What it is

Cross-functional simulations of the incidents your peers are actually dealing with right now — Canvas going down, ransomware at the institution across the state, the SIS compromise that hit during admissions cycle — designed so your team plays the game before the mistake becomes something everyone notices. We test the parts of incident response no playbook can predict: the decisions, escalations, and authority gaps between IT, legal, communications, and leadership across the districts of the campus city.

Higher-Education Incident Response: Cross-Functional by Design

Higher-education incident response can't be IT-only. The first six hours of any institutional incident require coordination across IT, legal, communications, executive leadership, and often faculty governance, the research office, advancement, or student health. Our higher-education incident response tabletop exercises are designed to surface the decision-authority gaps between those functions — the parts no runbook captures.

The distinction we draw

Most tabletops feel performative because they test the parts of the runbook that already work — the technical recovery. The valuable test isn't “can we restore from backup” (engineers already know). It's who declares an incident, who notifies regulators, who talks to the press, who authorizes paying a ransom, who tells the Provost a research dataset is gone, who tells the Board, in what order, with what evidence, in the first six hours. We design exercises to surface those gaps — before the next incident makes the gaps public.

Why now — recent incidents we design scenarios around

Refreshed quarterly from our incident corpus.

• Canvas LMS outage and the mid-semester recovery scramble (2026-05) — Institutions had to assess their LMS recovery posture in real time, mid-semester, with grade submission and course continuity at stake. Surfaces dependencies on a single SaaS LMS, the recovery cadence the institution can actually sustain, and the cross-functional decisions about how to communicate with faculty and students under uncertainty.

Other scenario patterns we calibrate against: ransomware at peer institutions during high-demand academic windows (admissions, finals, commencement); SIS / Workday Student compromises with FERPA and federal financial-aid notification clocks running; research-data exfiltration with NSPM-33 and contract implications; MFA fatigue against students at scale; donor-database breaches at advancement; clinical-system outages at student health centers with HIPAA OCR notification timing.

The pragmatic pieces we deliver

• Scenarios calibrated to your campus districts — not generic Fortune 500 ransomware. Real higher-ed scenarios, drawn from current events at peer institutions.
• Cross-functional facilitation — IT, legal, communications, executive leadership, and where relevant faculty governance, research office, advancement, student health. Single-function tabletops produce single-function lessons.
• Decision-authority matrix — who declares, who notifies whom, who pays, who talks to whom, with what evidence — produced during the exercise from real disagreements, not pre-written.
• After-action report with concrete, owned, dated fixes — not a list of observations.
• Communications templates for the highest-probability scenarios, drafted so they survive the 4am moment.
• Recurring program structure — annual cadence, scenario rotation across districts, Board-observed exercise once a year for governance visibility.

What “frictionless” means here

The real incident, when it comes, doesn't feel like an incident to anyone outside the IR room. Users keep using the systems. Faculty submit grades on time. Students don't notice. Legal, comms, and IT moved in lockstep because they'd already had this conversation in a conference room three months ago. The Board gets briefed on confirmed capabilities, not aspirational ones. If we did it right, it will feel like it didn't even affect us.

Frameworks and references we use

NIST SP 800-84 (Test, Training, and Exercise programs), CISA tabletop packages (CTEP), REN-ISAC higher-ed scenarios, EDUCAUSE Cybersecurity Initiative tabletop community resources. Where relevant: Cleary Act emergency notification timing, HIPAA OCR breach-notification clocks, state breach-notification statutes (different per state, different triggers).

Engagement shape

Half-day single-scenario TTX → full-day cross-functional TTX → annual program (4 TTXs across different districts + retrospective + roadmap). Pre-audit TTX as part of Compliance Readiness. Optional Board-observed exercise (high signal, sensitive to facilitate well).