WHO CAN PARTICIPATE IN CAPP? Regulated financial institutions of all sizes in the US and Canada can participate in the CAPP exercise.
HOW DOES OUR PRIMARY CONTACT KNOW WHAT TO DO? Your primary contact will be sent a pre-CAPP package with all the details, more information, a help-line phone and email contact, and other helpful hints to prepare him/herself, the team, and your company.
HOW ARE THE SIMULATED INCIDENT RESPONSE TEAM REPORTS RECEIVED? Your primary contact can expect audio files formatted to be accessible without any special provisions. Supporting materials such as PowerPoint slides and meeting transcripts are sent via WebEx or email.
HOW MUCH TIME DOES CAPP TAKE? On average, teams work together for about an hour each day.
WHAT IS THE REGISTRATION COST? There is no cost for regulated financial institutions to participate. CAPP is provided by the Financial Services Information Sharing and Analysis Center (FS-ISAC).
IS THIS A VULNERABILITY TEST OF OUR SYSTEM? No. CAPP is a table-top, simulated exercise. Participating in CAPP will allow you to privately assess your systems and response plans.
WHO SHOULD BE INVOLVED? Typically, the response team includes Operations, IT, Risk, Legal, Customer Service, and Communications. Some organizations invite legal and an executive manager to participate in or observe the exercise.
WHAT ABOUT THE SURVEY? Survey answers are private and submitted anonymously. Responses are analyzed to produce an overall picture of how financial institutions are responding to cyber-attacks and best practices generally emerge. Most organizations use the survey internally to assess and improve their response.
WHAT SURVEY SOFTWARE DOES MY FINANCIAL INSTITUTION NEED? Surveys are completed through a private link to Survey Monkey.
WHAT IF MY FINANCIAL INSTITUTION IS NOT A MEMBER OF FS-ISAC? All regulated financial institutions in the US and Canada are welcome to participate. You do not need to be a member of FS-ISAC.
WILL MY FINANCIAL INSTITUTION’S NAME BE USED ANYWHERE? No. Participating financial institutions are not named or available and your company participates as an anonymous financial institution.
WHAT IS THE AFTER-ACTION? Preliminary results will be presented at the FS-ISAC Fall Summit, October 25-28, 2015, and an interactive WebEx will be hosted and facilitated by FS-ISAC in November.