Read this slide, then delete

[Audio] The facilitator notes included in this presentation are a guide only, please update as required to suit your business area. The facilitator notes include: 1. Speaking points, i.e. can be read word for word (in blue and italics) 2. Facilitator tips, i.e. used to assist you in the facilitation of the exercise (bold and highlighted yellow) It is recommended that you print these notes rather than use them in the PowerPoint application. Actions prior to delivery: Review slide content and tailor as required to your specific working groups. Nominate someone to be an evaluator (their job is to take notes of the discussion for the end of exercise report and note key observations or any lessons). Determine a single delivery method (online or in person) – hybrid can be difficult to manage solo. Decide how you'd like to facilitate the group discussions Decide if groups will be random selection or working groups. Some areas will benefit by being kept in their working groups; others may benefit from being mixed across various work functions. If delivering an in-person session, consider what materials you will need for the session (sticky notes, pens, large paper, participant feedback QR Code hand-outs). If facilitating the session virtually via Teams: Familiarise yourself with break out room functionality Consider whether you'd like to use an online platform such as Miro (paid) or the Whiteboard function (free) within Teams to create an engaging and interactive experience for participants during the small group activity..

[Audio] Today we will discuss a security incident scenario, which may be sensitive. If the content becomes distressing, please prioritise your wellbeing and feel free to step away at any time. Support is available through your Manager and our EAP Provider if needed. ASK: Does anyone have any questions or concerns before we start?.

[Audio] Facilitator Note: Acknowledgement of traditional owners, housekeeping and introduction of the evaluator. •Thank you for coming along to today's continuity of business discussion, Exercise Infiltrate. We undertake these exercises to provide assurance to the Director-General that TMR can maintain continuity of business and respond to disruptive events. •I'd like to begin by acknowledging the traditional owners and custodians of the land and waterways on which we are meeting today. I would also like to pay my respects to Elders past and present. I also extend that respect to the Aboriginal and Torres Strait Islander people here today. •This year our exercise has been named Infiltrate. A discussion-based exercise on an Incursion of a premises. Incursions of a premises can occur in many ways. This exercise does NOT examine how the incursion occurs but the result and response to one. Information will be provided in notional time over the progression of the scenario Housekeeping -virtual facilitation: •Could I please ask everyone to mute their microphones unless speaking and please use hands-up or chat function to ask questions. During the small group activity, please unmute yourself and participate in discussions. OR Housekeeping –in person facilitation: •If we're interrupted by the fire alarm during today's session, please follow the directions of wardens. •Please put your phones on silent, and if you need to take a call, please leave the room. Evaluator •We have (insert name) who will be our evaluator and take notes and write down and observations or lessons during the exercise. •In saying that, I encourage everyone to take your own notes during the exercise so you can share individual key takeaways during the debrief and the participant end of exercise feedback form. •All actions/recommendations identified during today's exercise and debrief, will be collated by the evaluator for inclusion in the exercise report..

[Audio] FILM / PHOTO CONSENT Please ensure you update this slide and read this disclaimer to all participants if you intend to take photos and/or wish to record the session (including transcription). After you facilitate the exercise, we encourage all Continuity Coordinators to promote the exercise completion by posting a message on the Viva Engage Channel: Business and Continuous Improvement across TMR. You can review the channel to see other examples of what to include. Suggest that you tag your business area and accountable officer in the post to increase engagement and post exercise conversation. ***************************************** Here's an example you can follow: The xxxx xxx [name your business area] undertook Exercise Infiltrate on [day, date, month]. Discussions were robust and all participants were engaged throughout the session. Some great improvement opportunities and outcomes were identified and will be incorporated into the Process of Continuity of Business (PCB) refresh. Thanks to [Accountable officer] for hosting and [scribe] for undertaking the scribe function and mostly for everyone's active participation. [include any images taken of the session] ******************************************.

[Audio] Facilitator notes: In the context of premises security, an incursion refers to any unauthorised entry or action that disrupts or threatens the safety and security of a workplace or facility. Understanding the result and response to an incursion is critical in protecting personnel, assets, and data. Incursions includes Tailgating, Storming, Break and enter, sabotage of entry points, Lost or stolen access and ID cards. An overview of each of these types are included in the participant guide but here is an outline to assist your understanding. Tailgating: Unauthorised persons might gain access to a TMR workplace by closely following an authorised person. This can happen when someone courteously holds the door for another or if an observer strategically seizes the moment to enter, bypassing security protocol. Storming: A group of individuals forcefully and aggressively gains access to a secure area. This could be for various reasons, such as protest, theft, or an active threat. In such a case, the volume of people and the speed at which they act can overwhelm security measures. Break and enter: Unauthorised individuals forcefully gain entry by breaking windows, doors, or other access points. This may be an act of theft or vandalism. The physical damage to the premises may be significant, along with the potential loss of property. Sabotage of entry points: A person or group may intentionally damage or disable entry points, such as security systems, locks, or alarm systems. This can create vulnerabilities and open the door for other forms of incursions or disruptions in the workplace. Lost or Stolen Access and ID cards: A lost or stolen access card can be used by unauthorised individuals to gain access to secure areas. This could lead to theft, data breaches, or other security risks..

[Audio] Facilitator Note: Exercise intent and agenda for the session The exercise should take 90 minutes to complete. It is intended to assist development and identify gaps in our process for continuity of business. An opportunity to identify areas to improve co-operation and communication. A chance to reflect and develop an action plan, capturing achievements, opportunities and improvements for process for continuity of business. It is not a personal evaluation or test of individual participants or management. We'll begin today's exercise by identifying the aim and objectives, then I will ask everyone to share their expectations for today. From there, we'll get straight into the activity which includes breaking into smaller groups [remove if not a large group of particpants]. Facilitator Note: Groups may be randomly selected based on seating, or you may wish for the groups to be structured around working groups Before we finish, I will ask you all to complete a very quick online feedback form before wrapping up the session. As the last point states, this is not a personal evaluation, nor is it a test of anyone here. Everyone should feel comfortable raising questions or suggestions during today's session..

[Audio] Facilitator notes: Aim The aim of today's exercise is to assess and provide assurance of the preparedness of TMR to continue business whilst losing principle place of business with a cybersecurity incident. Facilitator Note: During today's session, it is hoped we will: Share knowledge regarding our Process for Continuity of Business and other documents e.g. Standard Operating Procedures. Have discussions on how to identify security incidents and the protocol for reporting them in your place of business. Understand each other's communication and reporting requirements and how this knowledge can improve communication channels during an event. Ensure staff know if they are critical to deliver the identified critical business functions. Noting, all staff are important – just some have been identified to have critical roles in delivering critical functions to ensure continuity of business. Everyone's input is important in this exercise! Facilitator Tip: It is important everyone participates in this exercise and no one person dominates the discussion. Throughout the discussion, give extra encouragement to those reluctant to join the discussion. Avoid the temptation to jump in with solutions if it is silent at first. Instead, draw out answers from the participants by asking open ended questions ie: how and what questions. Ensure the evaluator takes note of any action points or any items for follow up..

[Audio] Facilitator notes: Objectives The objectives of today's exercise are to: 1. Confirm roles, responsibilities and critical functions of business areas with reduced capacity, while identifying alternate methods to maintain continuity in business operations. Who is responsible for what during a disruptive event? What do they do? What is expected of everyone during a disruptive event? Ensure staff know if they are listed as critical to deliver the identified critical functions. Some staff may be identified as non-critical and will not be able to continue to work. Noting HR provisions will ensure staff do not lose any leave or other provisions. There are My Timecodes to cover these absences. (Not expected to be answered at this point). 2. Enhance awareness of physical security risks and corresponding control measures. Ensure staff are aware of critical reporting processes. 3. Identify opportunities for improvement within business areas of documented processes and procedures. Potentially developing an action plan with assigned people to help lead each identified improvement item. Enhancing the current PCB through the lessons learnt in this exercise..

[Audio] Facilitator notes: Pay attention to the expectations as you will cover them off at the end of the exercise. What are your expectations for today's exercise? What do you hope to achieve by participating in today's exercise? Facilitator Note: Get participants to answer the below questions if they aren't expressed by this point Does the process for onboarding new staff members include information about the Process for Continuity of Business? (including relief staff) Does everyone know where to find a copy of the PCB? Is this a first exercise for anybody in the room? Virtual facilitation: Could I please get everyone to submit their response in the chat window. I'll give everyone 2 minutes to type their answers. Breakout rooms will be used today, please nominate a scribe and speaker to report back key discussion points at the end of each breakout. There is a notes template attached to this invite for whoever the nominated scribe is. • This will be coordinated using the breakout room function. Send participants to their rooms after injects have been read so that they can discuss the questions. Bring them back to the main meeting after a period of time. •Please note, when using Teams, the meeting organiser/s is the only person who can facilitate break out rooms. Consider having multiple 'organisers' to mitigate this impacting your exercise. •For more information about Breakout Rooms, use this link: https://support.microsoft.com/en-us/office/use-breakout-rooms-in-teams-meetings-7de1f48a-da07-466c-a5ab-4ebace28e46 OR In person facilitation: Using the sticky note pads, please write down your response and we'll stick them together on the wall. I'll allow everyone a couple of minutes to write down their response. Remember, today's exercise is your opportunity to provide input and feedback which will assist in the development of a robust Process for Continuity of Business (PCB). It's also an opportunity to practice decision making –better to do it in this environment than during an actual event. Please feel free to ask questions along the way. Alright, before we move on are there any questions, concerns or doubts about the exercise today? Some areas will benefit by being kept in their working groups; others may benefit from being mixed across various work functions. As discussed, we will be breaking into groups for discussion of the scenario and the injects. It's important everyone gets involved in their small group discussion, as different perspectives and opinions help ensure our PCB is developed with everyone in mind. For this activity we will allow 30-40 minutes for detailed discussions to occur–it may seem like a long time, but it will go quickly.

[Audio] The facilitator notes: Read this slide, then delete.

[Audio] Facilitator Notes: Setting the scene – Incursion of premises. Setting the scene Incursion on premises Unauthorised persons have entered your building (undetected) after hours via unknown means. The unauthorised person(s) has caused malicious damage during the evening. You are one of the initial people to discover the damage. You are unsure if the person(s) who performed the damage is still on site. Next slide for the first inject.

[Audio] Facilitator Notes: Inject 1 (MONDAY) – 1st Incursion of premises It's 7am and you are entering the office when you discover that damage has been made to workstations, including monitors and cabling, bathrooms and kitchens are destroyed and water flowing onto the floor into the work area. Next slide for discussion questions.

[Audio] Facilitator Notes: Inject 1 (WEDNESDAY) – 1st Incursion of premises It's 7am and you are entering the office when you discover that damage has been made to workstations, including monitors and cabling, bathrooms and kitchens are destroyed and water flowing onto the floor into the work area. Next slide for discussion questions.

[Audio] From 2024 slide: Read questions Give final instructions to appoint scribe and speaker to report back on key discussion points. Notes template attached to meeting invite and includes questions listed above SEND TO BREAKOUTS! Remember to jump in and record each breakout Give time in 10 minutes when groups will be brought back Give 1 minute warning to bring groups back From 2025 slide Facilitator Notes: Inject 1 - questions for the participants to discuss AO: in breakout rooms…??? assign breakout rooms per actual team e.g HR Team, Finance etc AO: Add this General Participant Notes template for exercise Infiltrate workshop.pptx to the session chat so everyone can access it and the scriber for each group (Team) can add comments/notes and send it back to Metro BI at the end of the session. Who do you report the incident to? How do you ensure that the area is safe? Do you know who is due in the office today? How do you relay next steps to your team? How can staff continue their work if they had left their laptops in the office but now cannot return for 2-3 days? Prompts to get participants started: The PCB has four categories – Loss of Usual place of business, Loss of Services, Loss of many people and Loss of third party suppliers/vendors. In this instance we'd refer to your PCB's 'Loss of usual place of business'. Review the process in this category see page xx and assess if it adequately covers how to manage this scenario inject. Prompt points: What are some signs of unauthorised entry? What approach should be taken if an unauthorised person is discovered in the building? Further Facilitator Question (if required) Is this something covered by your current PCB? Have you discussed the need for critical staff members to take their laptops home everyday? What are management expectations on staff taking laptops home each night? After 5-10 minutes, get your groups/participants to report back (the evaluator will take down key points). Next slide for Inject 2.

[Audio] Facilitator Notes: Inject 2 (TUESDAY) - Escalation of the current event Queensland Police Service and Internal Security have investigated the incident. They have found extensive damage including to the IT equipment rooms. Facilities has assessed the site, and because of the damage, no one is allowed into the office – rumours are circulating that it could be for at least 2 to 3 business days. During investigations, not only has damage been made to the floor, but suspect USBs have been identified in the port of some TMR PCs and laptops and an unauthorised laptop has been discovered connected to the network. Additional Guidance material: There are many policies and procedures in place across TMR – below are the key documents when it comes to your security and safety. Emergency preparedness response procedures - how to prepare for and respond to emergency situations. Emergency Preparedness and Response procedure.pdf Protective Security – staff resources and information Security of TMR's people, assets and information is important for everyone and relies on us all working together to make it happen. TMR employees may require security advice on a range of issues that can adversely impact employee and facility safety and security. Transport Network Security and Resilience (TNSR) has a team that can help you with protective security and operational safety advice across TMR – the Internal Security team. Reporting Security Incidents – Guideline Transport and Main Roads (TMR) staff, including contractors and consultants, may be impacted, or made aware of a security incident within the workplace. The purpose of this guideline is to provide clear guidance for reporting security incidents. It is crucial to report all security incidents to enable the department to identify security trends, insights, gather intelligence and take appropriate actions to keep our people, information, and assets safe and secure. 240920_ Reporting Security Incidents – Guideline Next slide for continuance of inject..

[Audio] Facilitator Notes: Inject 2 (TUESDAY) - Escalation of the current After consultation with the leadership team, Information Technology Branch (ITB) circulates communications to all staff requesting that they minimise network access and usage. Staff start to lose network connectivity, and some program access is lost as the day progresses. Your area loses network connectivity and access to critical programs specific. Facilitator option to change this section and include a specific critical systems for your business area. Ie. Staff start to lose network connectivity, and xx program access is lost as the day progresses. TMR has a comprehensively outlined Information Security protocols on Inside TMR Information Security and Resilience Hub (Information Security and Resilience Hub – Home https://tmrqld.sharepoint.com/sites/information-security, Under Training and Awareness are the following ), these include: Removable media security (USB/laptops) Removable media security Cyber and physical security Cyber and physical security Email Security Email security Mobile device security Mobile device security Password Security Password security Working Remotely Working remotely Next slide for discussion questions..

[Audio] Facilitator Notes: Inject 2 (TUESDAY) - Escalation of the current After consultation with the leadership team, Information Technology Branch (ITB) circulates communications to all staff requesting that they minimise network access and usage. Staff start to lose network connectivity, and some program access is lost as the day progresses. Your area loses network connectivity and access to critical programs specific. Facilitator option to change this section and include a specific critical systems for your business area. Ie. Staff start to lose network connectivity, and xx program access is lost as the day progresses. TMR has a comprehensively outlined Information Security protocols on Inside TMR Information Security and Resilience Hub (Information Security and Resilience Hub – Home https://tmrqld.sharepoint.com/sites/information-security, Under Training and Awareness are the following ), these include: Removable media security (USB/laptops) Removable media security Cyber and physical security Cyber and physical security Email Security Email security Mobile device security Mobile device security Password Security Password security Working Remotely Working remotely Next slide for discussion questions..

[Audio] Facilitator Notes: Inject 2 (THURSDAY) - Escalation of the current After consultation with the leadership team, Information Technology Branch (ITB) circulates communications to all staff requesting that they minimise network access and usage. Staff start to lose network connectivity, and some program access is lost as the day progresses. Your area loses network connectivity and access to critical programs specific. (Facilitator option to change this section and include a specific critical systems for your business area. Ie. Staff start to lose network connectivity, and xx program access is lost as the day progresses.) Any unidentified/unauthorised USB's or laptops should be taken to IT Service Centre for investigation. TMR has a comprehensively outlined Information Security protocols on Inside TMR Information Security and Resilience Hub (Information Security and Resilience Hub – Home https://tmrqld.sharepoint.com/sites/information-security, Under Training and Awareness are the following ), these include: Removable media security (USB/laptops) Removable media security Cyber and physical security Cyber and physical security Email Security Email security Mobile device security Mobile device security Password Security Password security Working Remotely Working remotely Next slide for discussion questions..

[Audio] Facilitator Notes: Inject 2 - questions for the participants to discuss How are staff informed if they are not present at the time of incursion, but potentially impacted? Which critical functions as listed in your PCB are currently operational, and which aren't? Do you have alternate work options outlined? Has the wellbeing of any staff directly impacted by the incursion been checked (psychosocial safety)? Prompts to get participants started: Earlier, I advised you that the PCB has four categories – Loss of Usual place of business, Loss of Services, Loss of many people and Loss of third party suppliers/vendors. In this scenario inject which category would we refer to? Answer: Loss of Services Review the process in this category see page xx and assess if it adequately covers how to manage this scenario inject. Further Facilitator Question (if required) Are all your staff still able to carry out meaningful work? Do you have some manual processes ready to go? If so, what are they and will they actually work? To note/discuss with the group (if required) Participants should not resort to passing responsibility to ITB. The continuity of the business area is the business area's responsibility, not ITB's. After 5-10 minutes, get your groups/participants to report back (the evaluator will take down key points). Next slide for final Inject 3.

[Audio] Facilitator Notes: Inject 3 (WEDNESDAY) - impacts have now ceased / staged return to work Advice email is sent from the Facilities team advising that the building is expected to take some additional time to complete repairs and suggested that alternate work locations are utilised. Network connectivity issue has been resolved. Consider critical functions a staggered return to work. Some staff have indicated that this event has been traumatic and need to access the Employee Assistance Program. Next slide for discussion questions.

[Audio] Facilitator Notes: Inject 3 (FRIDAY) - impacts have now ceased / staged return to work Advice email is sent from the Facilities team advising that the building is expected to take some additional time to complete repairs and suggested that alternate work locations are utilised. Network connectivity issue has been resolved. Consider critical functions a staggered return to work. Some staff have indicated that this event has been traumatic and need to access the Employee Assistance Program. Next slide for discussion questions.

[Audio] Facilitator Notes: Inject 3 - questions for the participants to discuss How do you manage your return-to-work priorities? Are alternate work locations listed in your Process for Continuity of Business (PCB)? How do you identify critical functions and employees and/or business unit priorities for a staged return to work? Are there any HR impacts requiring communication? Additional Facilitator questions: When would you suggest the use of TMR's EAP. Does your back up site require staff to provide laptop and other equipment? Does your Memorandum of Understanding (MOU) include this detail? After 5-10 minutes, get your groups/participants to report back (the evaluator will take down key points)..

[Audio] Facilitator Notes: Reconvene whole group and debrief Thanks everyone, this now concludes the exercise. Before we finish off today, we will end with a Hot Debrief to review the discussions we've had to identify next steps which our evaluator will capture. As we go through and identify recommendations, it's important we assign a person to help lead that action. I will follow up with these people regarding their actions within 30 days. Let's begin by revisiting our expectations, aim and objectives: Was your expectation expressed at the beginning of today's session met? Participants to answer. As a reminder Today's aim was to assess and provide assurance of the preparedness of TMR to continue business whilst experiencing intermittent impacts to essential services. How did we go against our objectives: How did we go against our objectives: Did we confirm roles, responsibilities, and expectations of business areas with reduced capacity. Participants to answer. Prompt: Were roles, responsibilities, and expectations clear, or did this need some time to work through? 2. Did we confirm critical functions and implement alternate methods for continuing to operate during a disruptive event. Participants to answer. Prompt: How did you go about identifying and prioritising your critical functions? Prompt: Did you identify alternative methods for continuing to operate? 3. Did we enhance awareness of physical security risks and corresponding control measures? Participants to answer. Prompt: Do you think more training and awareness of staff is needed in this space? 4. Did we identify opportunities for improvement within business areas of documented processes and procedures. Participants to answer. Prompt: Did any unanticipated issues arise during the exercise?​ Prompt: Were any gaps in existing planning identified?​ Prompt: Do you have any new ideas or recommendations for improvement?​ Prompt: What do you think are the high-priority issues that should be addressed first?​ Great reflection everyone, these actions from today's discussions will help improve our process for continuity of business..

[Audio] Facilitator Notes: Request for feedback Virtual facilitation (Feedback Form link to put in the chat function at this point – https://forms.office.com/r/vbwbW7Z5JA I now invite everyone to provide feedback on today's session by scanning the displayed QR code or alternatively I have provided the link to the feedback form within the chat window. I'm going to give everyone a couple of minutes now to complete the form. This information really helps inform future exercises and ensure we are delivering sessions of interest and benefit to you. Results will be collated by TNSR and key themes shared with Continuity Coordinators. OR In person facilitation (ensure you print QR codes to hand out at this point of the session). I now invite everyone to provide feedback on today's session by scanning the QR code provided via the print outs circulated. I'm going to give everyone a couple of minutes now to complete the form. This information really helps inform future exercises and ensure we are delivering sessions of interest and benefit to you so if you are unwilling to use the QR code please ensure you complete the feedback form via the link after the session today. Results will be collated by TNSR and key themes shared with Continuity Coordinators..

[Audio] Facilitator Notes: Last slide I want to thank​ everyone for your involvement in today's exercise. Following today's session, an exercise report will be completed within 30 days which our Accountable Officer (insert whoever signs off on the business area's PCB) will sign. A copy of this report will be made available to everyone here today and sent to TNSR for inclusion in department-wide analysis. Thank you again and please know, our process for continuity of business is a living document, so if ever you wish to propose changes or updates, please be in touch. Final Administration: Ensure you have collected all administrative documentation including QR Code handouts, attendance sheets and sticky notes..