Add to collection(s) Add to saved
  1. No category

Incident Response Test Plan

advertisement 
CONFIDENTIAL: This document is considered confidential to and is maintained as a trade secret by <ORGANIZATION
NAME>. Information in this document is restricted to <ORGANIZATION NAME> authorized recipients only and any
reproduction, distribution, or public discussion of this material is subject to the limits described in your non-disclosure
agreement with <ORGANIZATION NAME>.
Incident Response Test Plan & Report
MOC TICKET NUMBER(S):
DATE:
PROPERTY:
TEST PERIOD:
PARTICIPANTS:
MODERATOR (INCIDENT RESPONSE LEAD)
COORDINATOR (TARGET SYSTEM OWNER )
TESTER (INCIDENT HANDLER)
OBSERVER (INCIDENT HANDLER )
Contents
Introduction ............................................................................................................................................................................ 2
Testing Vision .......................................................................................................................................................................... 2
Test Action Items .................................................................................................................................................................... 2
Expected Results ..................................................................................................................................................................... 2
Actual Results .......................................................................................................................................................................... 2
Discrepancies between Expected and Actual Results............................................................................................................. 3
Post mortem ........................................................................................................................................................................... 3
Exhibits .................................................................................................................................................................................... 3
Introduction
<INSERT TEAM NAME> regularly tests incident response methodology and tooling to ensure optimal
performance during incidents on <ORGANIZATION NAME> networks. This testing also serves to validate
incident response performance as required by various compliance mandates.
Testing Vision
<INSERT TEAM NAME> testing occurs in both lab environments as well as production environments. A quarterly
comprehensive production exercise is conducted to validate the effectiveness of <INSERT TEAM NAME>
capability in a live fire exercise. This testing can also be initiated on a per need basis to satisfy various
compliance requirements (PCI, ISO, FISMA, SAS 70, etc.).
Test Action Items
1) In advance of the testing period the moderator will place a specially crafted, non-malicious binary with malwarelike attributes on a server of the coordinator’s choosing. Additionally, the moderator or coordinator will perform
activity on the chosen server(s) that monitoring/alerting mechanisms would perceive of as non-compliant or
potentially malicious.
2) The tester will be informed via normal escalation paths <INSERT ESCALATION EMAIL ADDRESSES & PHONE
NUMBERS> of an incident involving the dedicated server(s), but provided with no other information.
3) The tester will have a two hour period in which to determine the nature of the “compromise” or “malicious
behavior” suffered by the dedicated server.
4) Upon conclusion, the tester will inform the moderator of the findings. Should the tester reach what he
concludes is a successful investigation prior to the end of the two hour window, the exercise may be considered
complete and successful. Should the tester fail to determine root cause by the end of the test period, the
exercise will be considered unsuccessful and will be repeated to ensure a successful and optimized service.
5) The coordinator and observer will confer to ensure that test results satisfy requirements specific to compliance
mandates as needed.
Expected Results
[DEFINE EXPECTED TEST OUTCOME HERE]
Actual Results
[DEFINE ACTUAL TEST OUTCOME HERE]
Discrepancies between Expected and Actual Results
[DEFINE DISCREPANCIES BETWEEN EXPECTED AND ACTUAL TEST RESULTS HERE. INCLUDE ACTION ITEMS TO
RESOLVE DISCREPANCIES]
Post mortem
A follow-up discussion will be held to discuss success or failure, and to review outcome exhibits.
Exhibits
[TEST RESULTS, FINDINGS]
Related documents
Developmental Pathways-Early Intervention Incident Report
Developmental Pathways-Early Intervention Incident Report
Locating Test Items Suppose a tester is ready to run tests on an item
Locating Test Items Suppose a tester is ready to run tests on an item
Critically incident technique The Critical Incident Technique (or CIT
Critically incident technique The Critical Incident Technique (or CIT
Near Miss Incident Reporting and Investigation
Near Miss Incident Reporting and Investigation
ACADEMIC INTEGRITY VIOLATION FORM
ACADEMIC INTEGRITY VIOLATION FORM
Incident Reporting Form
Incident Reporting Form
Storyboard Template - QI Planning
Storyboard Template - QI Planning
Accident and Incident (fs24) Form
Accident and Incident (fs24) Form
Becky Headings
Becky Headings
IMPLEMENTATION OF TEST MANAGEMENT ON OBA SYSTEM AHMED IBRAHIM SAFANA
IMPLEMENTATION OF TEST MANAGEMENT ON OBA SYSTEM AHMED IBRAHIM SAFANA
Download
advertisement