Mandatory Test

Get Started. It's Free
or sign up with your email address
Mandatory Test by Mind Map: Mandatory Test

1. Scoping Document Creation

1.1. Faye copy from template and start crafting the document per Brian's request

1.1.1. Brian feeds information about future project

1.1.2. Information can also come from Oversigth

1.1.3. Faye collects information from Vuln Mgmt team and 1LoD partners per Brian's request

1.1.4. Summary section writeup can be done with partners or TMPT team - For IoT Amna and Chantale provided insight

1.1.4.1. Challenges

1.1.4.1.1. Scoping document should be a copy and paste to executive summary - instead - the tester has to digest the information from scoping document and rewrite in a way that would fit the narrative making it difficult and redundant work

1.2. Scoping document approval

1.2.1. First approved by Brian and Chantale

1.2.2. Second approved by Stephen Cospolich

2. Scoping Asset Determination

2.1. Faye collect data from peers and upload to the share and e-mail the team

2.1.1. Tester is responsible for analyzing the data and marking the asset in scope as final prior testing

2.1.1.1. Solution: Get involved more often with the asset determination/identification and act as a SME

2.1.2. Faye expects an e-mail formalizing the final acceptance of the assets in scope

2.1.3. Brian needs to accept and approve the final assets in scope

3. Pentest

3.1. Tester e-mail stakeholders with start/stop notice of pentest including the assets he/she is testing from.

3.2. Findings

3.2.1. The tester has to produce a full write-up in a report format (includes description, steps to reproduce, remediation, and affected hosts) and provide to Faye.

3.2.1.1. Critical

3.2.1.1.1. SLA: 24 hours for Faye to give to the correct team

3.2.1.2. High

3.2.1.2.1. SLA: 48 hours for Faye to give to the correct team

3.2.1.3. Medium

3.2.1.3.1. SLA: 5 days for Faye to give to the correct team

3.2.1.4. Low

3.2.1.4.1. SLA: 10 days for Faye to give to the correct team

3.2.2. Tracking Remediation

3.2.2.1. Faye keeps tracking of present and future remediation of findings via spreadsheet

3.2.2.2. Faye utilizes the Firms resources to identify the finding owner

3.2.2.2.1. Remedy

3.2.2.2.2. APM ID

3.2.2.2.3. Tribal Knowledge

3.2.2.2.4. Challenges

3.2.2.3. Faye uses TMPT e-mail to contact the finding owner

3.2.2.3.1. Critical/High

3.2.2.3.2. Medium/Low/Informational

3.2.3. Remediation Completion

3.2.3.1. Faye gets closure evidence from finding owner via e-mail

3.2.3.1.1. Faye shares with Brian/Chantale and tester

3.2.3.2. Decision Making of Retest or Closure

3.2.3.2.1. Brian decides whether the finding should be retested or marked as closed depending on the evidence

3.2.3.3. Challenges

3.2.3.3.1. Retest should not be made case-by-case

3.2.3.3.2. Technical Control findings are hard to keep track

3.2.3.3.3. Faye has to breakdown a finding based on number of finding owners

3.3. Report Writing

3.3.1. Deliverable due on 5 business after test completion

3.3.1.1. Tester documentation writting

3.3.1.1.1. Cover Page has to be aligned with current test

3.3.1.1.2. Executive Summary has to encompass scoping document

3.3.1.1.3. Root cause

3.3.1.1.4. Objective and Introduction

3.3.1.1.5. Findings Documentation

3.3.2. TMPT team reviews it and then the tester has 3 business days to make the changes

4. Pre Pentest

4.1. Unannounced Test

4.1.1. No e-mail or notification required

4.2. Announced Test

4.2.1. Faye has to send an e-mail to Chad and SOC with starting date and finishing date and also provide assets in scope.

4.2.1.1. The email must be sent prior the test starts