# Test Plan Management [[Test Plan Management]] is a [[Control Development]] capability. Test planning is a critical step in producing value from a cybersecurity perspective. Test plans can be developed in a variety of ways and ensure that defenses are being regression tested from and adversary perspective. Test planning also incorporates compliance tests and it is up to the organization to determine whether Control Verification will support both compliance and adversary resilience testing. A Test Plan can also be useful in the event of an incident because it enables a look back on the defensive strategy to determine if the content required to prove resilience was actually planned to be tested. ## Map ``` mermaid <!-- element style="width:90%; height:auto" --> graph TD Top[[Cybersecurity]] --- B[[Control Development]] B --- B.1[[Defense Modeling]] B --- B.2[[Standards Management]] B --- B.3[[Policy Management]] B --- B.4[[Test Plan Management]] B --- B.5[[Threshold Management]] %% Class Definitions %% ===================== class Top,A,A.1,A.2,A.3,A.4,A.5,A.6,B,B.1,B.2,B.3,B.4,B.5,C,C.1,C.2,C.3,C.4,D,D.1,D.2,D.3,D.4,D.5,E,E.1,E.2,E.3,E.4,E.5,E.6 internal-link,font-color:white; class Top cssClassL0; classDef cssClassL0 fill:black,stroke:black,stroke-width:4px,font-size:15px,font-color:white; class A,B,C,D,E cssClassL1; classDef cssClassL1 fill:darkblue,stroke:darkblue,stroke-width:4px,font-size:15px,font-color:white; class A.1,A.2,A.3,A.4,A.5,A.6,B.1,B.2,B.3,B.4,B.5,C.1,C.2,C.3,C.4,D.1,D.2,D.3,D.4,D.5,E.1,E.2,E.3,E.4,E.5,E.6 cssClassL2; classDef cssClassL2 fill:blue,stroke:blue,stroke-width:4px,font-size:15px,font-color:white; class B.4 cssClassCurrent; classDef cssClassCurrent fill:#2f9503,stroke:#2f9503,stroke-width:4px,font-size:15px,font-color:white; ``` ## Definition > [!success] Definition > Test plan management is the structured process of developing and implementing tailored test plans to assess the resilience of various elements within the software ecosystem. This includes defining test objectives, selecting appropriate methodologies, test scenarios and reporting results. The aim is to conduct thorough security assessments based on identified adversaries, vulnerabilities and risks, to validate the effectiveness of security measures. ## Goals >[!cm-goal] Goal 1 Identify Undetected Vulnerabilities >[!cm-goal] Goal 2 Validate Control Effectiveness >[!cm-goal] Goal 3 Proactively Address Risk >[!cm-goal] Goal 4 Prioritize Resilience Investments ## Scope ## Process Adversary Analysis Use Cases Abuse Cases Security requirements Test Cases ## Metrics >[!cm-metric] Metric: [[Coverage]] >[!cm-metric] Metric: Number of vulnerabilities detected through test plans vs total exploitable opportunities >[!cm-metric] Metric: [[% of controls covered by test cases]] >[!cm-metric] Metric: [[% of test not meeting established thresholds]] >[!cm-metric] Metric: [[Rise in real world exploits]] >[!cm-metric] Metric: [[% of Vulnerabilities Missed during Testing]] >[!cm-metric] Metric: [[False Positive Rate]] ## Inspiration & Resources + ## [Cyber City Map](https://cybercitymap.com/) © 2023-2024 by [ThirdScore, Inc.](https://thirdscore.com/) All Rights Reserved.