Expert answer:Structured Assignment – Test Plan, Training Plan,

Expert answer:Watch Video Info-Tech Webinar: Business Continuity, Develop a Test PlanDuration: (55:16) User: InfoTechRG – Added: 11/14/14 Develop test plan, training plan, and maintenance methodology for SanGrafix,
a video game design company. Each test and maintenance methodology
should include a method for testing applications, operating systems,
network connectivity, speed, load testing, interoperability,
permissions, and security. Please research and come up with a
comprehensive plan. The following files have been supplied for your use: Guide to Test, Training, and Exercise Programs for IT Plans and Capabilities (SP800-84)
sp800_84.pdf

Unformatted Attachment Preview

Special Publication 800-84
Sponsored by the
Department of Homeland Security
Guide to Test, Training, and
Exercise Programs for IT
Plans and Capabilities
Recommendations of the National Institute
of Standards and Technology
Tim Grance
Tamara Nolan
Kristin Burke
Rich Dudley
Gregory White
Travis Good
NIST Special Publication 800-84
Guide to Test, Training, and Exercise
Programs for IT Plans and Capabilities
Recommendations of the National
Institute of Standards and Technology
Tim Grance, Tamara Nolan,
Kristin Burke, Rich Dudley,
Gregory White, Travis Good
C O M P U T E R
S E C U R I T Y
Computer Security Division
Information Technology Laboratory
National Institute of Standards and Technology
Gaithersburg, MD 20899-8930
September 2006
U.S. Department of Commerce
Carlos M. Gutierrez, Secretary
Technology Administration
Robert C. Cresanti, Under Secretary of Commerce for
Technology
National Institute of Standards and Technology
William A. Jeffrey, Director
GUIDE TO TEST, TRAINING, AND EXERCISE PROGRAMS FOR IT PLANS AND CAPABILITIES
Reports on Computer Systems Technology
The Information Technology Laboratory (ITL) at the National Institute of Standards and Technology
(NIST) promotes the U.S. economy and public welfare by providing technical leadership for the nation’s
measurement and standards infrastructure. ITL develops tests, test methods, reference data, proof of
concept implementations, and technical analysis to advance the development and productive use of
information technology. ITL’s responsibilities include the development of technical, physical,
administrative, and management standards and guidelines for the cost-effective security and privacy of
sensitive unclassified information in Federal computer systems. This Special Publication 800-series
reports on ITL’s research, guidance, and outreach efforts in computer security and its collaborative
activities with industry, government, and academic organizations.
National Institute of Standards and Technology Special Publication 800-84
Natl. Inst. Stand. Technol. Spec. Publ. 800-84, 97 pages (September 2006)
Certain commercial entities, equipment, or materials may be identified in this
document to describe an experimental procedure or concept adequately. Such
identification is not intended to imply recommendation or endorsement by the
National Institute of Standards and Technology, nor is it intended to imply that the
entities, materials, or equipment are necessarily the best available for the purpose.
ii
GUIDE TO TEST, TRAINING, AND EXERCISE PROGRAMS FOR IT PLANS AND CAPABILITIES
Acknowledgements
The authors, Tim Grance of the National Institute of Standards and Technology (NIST); Tamara Nolan,
Kristin Burke, and Rich Dudley of Booz Allen Hamilton; and Dr. Gregory White and Travis Good of the
University of Texas-San Antonio (UTSA); wish to thank their colleagues who reviewed drafts of this
document and contributed to its technical content. The authors would like to acknowledge Joan Hash,
Karen Kent, Peter Mell, Matt Scholl, Marianne Swanson, and Mark Wilson of NIST; Dick Broome, Kara
Crawley, Courtney Hawkins, Munir Majdalawieh, and Zara Pyatt of Booz Allen Hamilton; and Dwayne
Williams of UTSA for their keen and insightful assistance throughout the development of the document.
The authors would also like to express their thanks to Glenn Fiedelholtz, Annabelle Lee, and Jeffrey
Wright from the National Cyber Security Division of the Department of Homeland Security, as well as
representatives from the Department of State and the MITRE Corporation, for their valuable comments
and suggestions.
The National Institute of Standards and Technology would also like to express its appreciation and thanks
to the Department of Homeland Security for its sponsorship and support of NIST Special Publication 80084.
iii
GUIDE TO TEST, TRAINING, AND EXERCISE PROGRAMS FOR IT PLANS AND CAPABILITIES
Table of Contents
Executive Summary………………………………………………………………………………………………..ES-1
1.
Introduction ……………………………………………………………………………………………………….1-1
1.1
1.2
1.3
1.4
2.
Authority…………………………………………………………………………………………………….1-1
Purpose and Scope …………………………………………………………………………………….1-1
Audience ……………………………………………………………………………………………………1-1
Document Structure …………………………………………………………………………………….1-2
Establishing a Test, Training, and Exercise Program …………………………………………..2-1
2.1
2.2
2.3
2.4
2.5
Develop Comprehensive TT&E Policy……………………………………………………………2-3
Identify TT&E Roles and Responsibilities ……………………………………………………….2-4
Establish Overall TT&E Schedule ………………………………………………………………….2-4
Document TT&E Event Methodology……………………………………………………………..2-4
Recommendations ………………………………………………………………………………………2-5
3.
Training Sessions ………………………………………………………………………………………………3-1
4.
Tabletop Exercises …………………………………………………………………………………………….4-1
4.1
4.2
4.3
4.4
4.5
4.6
5.
Functional Exercises ………………………………………………………………………………………….5-1
5.1
5.2
5.3
5.4
5.5
5.6
6.
Evaluate the Need for a Tabletop Exercise and Create a Schedule……………………4-1
Design the Tabletop Exercise Event………………………………………………………………4-1
4.2.1 Determine the Topics ………………………………………………………………………..4-2
4.2.2 Determine the Scope…………………………………………………………………………4-2
4.2.3 Identify the Objectives ……………………………………………………………………….4-2
4.2.4 Identify the Participants ……………………………………………………………………..4-2
4.2.5 Identify the Tabletop Exercise Staff……………………………………………………..4-3
4.2.6 Coordinate the Logistics …………………………………………………………………….4-3
Develop the Tabletop Exercise Material …………………………………………………………4-3
Conduct the Tabletop Exercise……………………………………………………………………..4-4
Evaluate the Tabletop Exercise …………………………………………………………………….4-5
Summary……………………………………………………………………………………………………4-5
Evaluate the Need for a Functional Exercise and Create a Schedule …………………5-1
Design the Functional Exercise Event ……………………………………………………………5-1
5.2.1 Determine the Topic ………………………………………………………………………….5-2
5.2.2 Determine the Scope…………………………………………………………………………5-2
5.2.3 Identify the Objectives ……………………………………………………………………….5-2
5.2.4 Identify the Participants ……………………………………………………………………..5-2
5.2.5 Identify the Functional Exercise Staff …………………………………………………..5-3
5.2.6 Coordinate the Logistics …………………………………………………………………….5-3
Develop the Functional Exercise Material……………………………………………………….5-4
Conduct the Functional Exercise …………………………………………………………………..5-5
Evaluate the Functional Exercise…………………………………………………………………..5-6
Summary……………………………………………………………………………………………………5-6
Tests………………………………………………………………………………………………………………….6-1
6.1
6.2
Evaluate the Need for a Test and Create a Schedule ………………………………………6-1
Design the Test Event………………………………………………………………………………….6-2
iv
GUIDE TO TEST, TRAINING, AND EXERCISE PROGRAMS FOR IT PLANS AND CAPABILITIES
6.3
6.4
6.5
6.6
6.2.1 Determine the Scope…………………………………………………………………………6-2
6.2.2 Identify the Objectives ……………………………………………………………………….6-3
6.2.3 Determine the Testing Tools ………………………………………………………………6-3
6.2.4 Identify the Participants ……………………………………………………………………..6-3
6.2.5 Identify the Test Staff…………………………………………………………………………6-4
6.2.6 Coordinate the Logistics …………………………………………………………………….6-4
Develop the Test Material …………………………………………………………………………….6-5
Conduct the Test…………………………………………………………………………………………6-5
Evaluate the Test ………………………………………………………………………………………..6-6
Summary……………………………………………………………………………………………………6-6
List of Appendices
Appendix A— Sample Tabletop Exercise Documentation………………………………………….. A-1
A.1
A.2
A.3
Sample Tabletop Exercise Facilitator Guide ………………………………………………….. A-2
Sample Tabletop Exercise Participant Guide ………………………………………………… A-6
Sample Tabletop Exercise After Action Report………………………………………………. A-9
Appendix B— Sample Functional Exercise Documentation……………………………………….. B-1
B.1
B.2
B.3
B.4
B.5
Sample Functional Exercise Scenario ………………………………………………………….. B-2
Sample Functional Exercise Master Scenario Events List……………………………….. B-5
Sample Functional Exercise Injects ……………………………………………………………… B-7
Sample Functional Exercise Inject Tracking Form………………………………………….. B-9
Sample Functional Exercise After Action Report ………………………………………….. B-11
Appendix C— Sample Test Documentation ………………………………………………………………. C-1
C.1 Sample Component Test Documentation ……………………………………………………… C-2
C.2 Sample System Test Documentation……………………………………………………………. C-7
C.3 Sample Comprehensive Test Documentation ……………………………………………… C-13
Appendix D— Glossary ……………………………………………………………………………………………. D-1
Appendix E— Acronyms ………………………………………………………………………………………….. E-1
Appendix F— Print and Online Resources………………………………………………………………… F-1
Appendix G— Index………………………………………………………………………………………………….G-1
List of Figures
Figure 2-1. TT&E Event Methodology……………………………………………………………………………2-5
List of Tables
Table 4-1. Sample Logistics Checklist for Tabletop Exercise Events …………………………………4-3
v
GUIDE TO TEST, TRAINING, AND EXERCISE PROGRAMS FOR IT PLANS AND CAPABILITIES
Table 5-1. Sample Logistics Checklist for Functional Exercise Events ………………………………5-3
Table 6-1. Sample Logistics Checklist for Test Events …………………………………………………….6-4
vi
GUIDE TO TEST, TRAINING, AND EXERCISE PROGRAMS FOR IT PLANS AND CAPABILITIES
Executive Summary
Organizations have information technology (IT) plans in place, such as contingency and computer
security incident response plans, so that they can respond to and manage adverse situations involving IT.
These plans should be maintained in a state of readiness, which should include having personnel trained
to fulfill their roles and responsibilities within a plan, having plans exercised to validate their content, and
having systems and system components tested to ensure their operability in an operational environment
specified in a plan. These three types of events can be carried out efficiently and effectively through the
development and implementation of a test, training, and exercise (TT&E) program. Organizations should
consider having such a program in place because tests, training, and exercises are so closely related. For
example, exercises and tests offer different ways of identifying deficiencies in IT plans, procedures, and
training.
This document provides guidance on designing, developing, conducting, and evaluating TT&E events so
that organizations can improve their ability to prepare for, respond to, manage, and recover from adverse
events that may affect their missions. The scope of this document is limited to TT&E events for single
organizations, as opposed to large-scale events involving multiple organizations, involving internal IT
operational procedures for emergencies. This document does not address TT&E for a specific type of IT
plan; rather, the TT&E methodology described in this document can be applied to TT&E events built
around any IT plan or around an IT emergency-handling capability that is not necessarily documented in a
plan, such as computer security incident response.
As part of creating a comprehensive TT&E program, a TT&E plan should be developed that outlines the
steps to be taken. The TT&E plan should define the organization’s roadmap for ensuring a viable
capability, and outline the organization’s approach to maintaining plans, as well as enhancing and
managing the capability. Enhancing emergency plans, policies, and procedures will promote more
efficient utilization of capabilities in responding to cyber attacks. In addition, the TT&E plan should
identify resource and budget requirements that enable organizations to achieve an effective, proven
capability, and provide a schedule for conducting various types of TT&E events. Creating the TT&E
program should also involve several other steps, including developing a TT&E policy, identifying roles
and responsibilities, and documenting a TT&E event methodology.
The TT&E program should include several types of events to ensure the availability of a wide range of
methods for validating various planning elements in the context of cyber incidents. The types of events
covered in this guide are as follows:
Tests. 1 Tests are evaluation tools that use quantifiable metrics to validate the operability of an IT
system or system component in an operational environment specified in an IT plan. For example,
an organization could test if call tree cascades can be executed within prescribed time limits;
another test would be removing power from a system or system component. A test is conducted
in as close to an operational environment as possible; if feasible, an actual test of the components
or systems used to conduct daily operations for the organization should be used. The scope of
testing can range from individual system components or systems to comprehensive tests of all
systems and components that support an IT plan. Tests often focus on recovery and backup
operations; however, testing varies depending on the goal of the test and its relation to a specific
IT plan.
1
Many people use the terms “test” and “exercise” interchangeably, such as “performing testing through exercises”. However,
there are distinctions between the two terms. For the purpose of this document, the term “test” is reserved for testing
systems or system components; it is not used to describe “exercising” plans.
ES-1
GUIDE TO TEST, TRAINING, AND EXERCISE PROGRAMS FOR IT PLANS AND CAPABILITIES
Training. For the purposes of this publication, training refers only to informing personnel of
their roles and responsibilities within a particular IT plan and teaching them skills related to those
roles and responsibilities, thereby preparing them for participation in exercises, tests, and actual
emergency situations related to the IT plan. Training personnel on their roles and responsibilities
before an exercise or test event is typically split between a presentation on their roles and
responsibilities, and activities that allow personnel to demonstrate their understanding of the
subject matter.
Exercises. An exercise is a simulation of an emergency designed to validate the viability of one
or more aspects of an IT plan. In an exercise, personnel with roles and responsibilities in a
particular IT plan meet to validate the content of a plan through discussion of their roles and their
responses to emergency situations, execution of responses in a simulated operational
environment, or other means of validating responses that does not involve using the actual
operational environment. Exercises are scenario-driven, such as a power failure in one of the
organization’s data centers or a fire causing certain systems to be damaged, with additional
situations often being presented during the course of an exercise. There are several types of
exercises, and this publication focuses on the following two types that are widely used in TT&E
programs by single organizations:
–
Tabletop Exercises. Tabletop exercises are discussion-based exercises where personnel
meet in a classroom setting or in breakout groups to discuss their roles during an emergency
and their responses to a particular emergency situation. A facilitator presents a scenario and
asks the exercise participants questions related to the scenario, which initiates a discussion
among the participants of roles, responsibilities, coordination, and decision-making. A
tabletop exercise is discussion-based only and does not involve deploying equipment or other
resources.
–
Functional Exercises. Functional exercises allow personnel to validate their operational
readiness for emergencies by performing their duties in a simulated operational environment.
Functional exercises are designed to exercise the roles and responsibilities of specific team
members, procedures, and assets involved in one or more functional aspects of a plan (e.g.,
communications, emergency notifications, IT equipment setup). Functional exercises vary in
complexity and scope, from validating specific aspects of a plan to full-scale exercises that
address all plan elements. Functional exercises allow staff to execute their roles and
responsibilities as they would in an actual emergency situation, but in a simulated manner.
Organizations should conduct TT&E events periodically; following organizational changes, updates to an
IT plan, or the …
Purchase answer to see full
attachment

How it works

1. Paste your instructions in the instructions box. You can also attach an instructions file
2. Select the writer category, deadline, education level and review the instructions 
3. Make a payment for the order to be assignment to a writer
4.  Download the paper after the writer uploads it 

Will the writer plagiarize my essay?

You will get a plagiarism-free paper and you can get an originality report upon request.

Is this service safe?

All the personal information is confidential and we have 100% safe payment methods. We also guarantee good grades