Verification Plan (SVP) — ISO/IEC/IEEE 15289 — Plan | IEEE 29148 §6.6
Generated 2026-03-27 — UHT Journal / universalhex.org
| Ref | Requirement | Method | Tags |
|---|---|---|---|
| VER-VER-METH-001 | The detection and alerting pipeline SHALL be verified through quarterly purple team exercises simulating at least 20 MITRE ATT&CK techniques across initial access, execution, persistence, lateral movement, and exfiltration tactics, with all test events required to produce alerts within the specified MTTD thresholds. Rationale: Purple team exercises are the only verification method that validates the end-to-end detection pipeline under realistic adversary conditions — from initial access through exfiltration. Quarterly cadence ensures detection coverage is verified after each detection rule update cycle. The 20-technique minimum across 5 ATT&CK tactic categories ensures breadth of coverage testing, not just depth against a single attack chain. | Test | verification, validation, session-293 |
| VER-VER-METH-002 | The SIEM Engine failover capability SHALL be verified through semi-annual failover exercises that simulate primary SIEM node failure and measure time-to-failover, event loss during switchover, and degraded-mode detection rate, with acceptance criteria of failover completion within 5 minutes, zero event loss exceeding 60 seconds, and degraded detection rate meeting the 60% minimum threshold. Rationale: SYS-REQS-017 introduces a degraded-mode detection requirement that must be verified independently of the quarterly purple team exercises (VER-METH-001). Failover testing validates both the SIEM HA architecture and the bypass alert paths from EDR/NSM/IAM to SOAR. Without dedicated failover exercises, the degraded-mode capability may exist on paper but fail under actual SIEM outage conditions. | Test | verification, validation, session-297 |
| VER-VER-METH-003 | The end-to-end detection and response pipeline from event ingestion through SIEM correlation to SOAR playbook execution and containment action SHALL be verified through monthly automated integration tests injecting synthetic events at each subsystem boundary, with each test validating end-to-end latency against SLA thresholds and confirming correct alert enrichment, routing, and containment command execution. Rationale: The verification plan currently covers only quarterly purple team exercises (VER-METH-001), which test detection effectiveness but not integration health. Monthly automated integration tests catch regression in inter-subsystem interfaces (message queue connectivity, API schema changes, TLS certificate expiry) before they impact real incident response. This mirrors the hospital patient monitoring approach where integration tests run continuously on the alerting pipeline. | Test | verification, validation, session-297 |
| VER-VER-METH-004 | The data retention and regulatory compliance capabilities SHALL be verified through quarterly audits confirming that hot storage retains 90 days of searchable events, warm storage retains 365 days of retrievable events, case data is retained for 2 years, and regulatory notification templates produce complete and accurate documents for GDPR Article 33 and NIS2 Article 23 reporting. Rationale: Multiple requirements specify data retention periods (SYS-DATA-006, REQ-SECYBERSECOPSCENTRE-003, REQ-005) and regulatory notification generation (SYS-DATA-009), but no verification activity confirms these capabilities are maintained over time. Storage tier migration, schema changes, or capacity pressure can silently break retention compliance. Quarterly audit frequency aligns with the 90-day hot retention window, ensuring at least one audit covers each retention boundary. | Inspection | verification, validation, session-297 |
| VER-VER-METH-005 | The incident response and containment pipeline SHALL be verified through quarterly tabletop exercises and semi-annual live containment tests, simulating endpoint isolation via EDR, automated playbook execution via SOAR, and network-level containment via NSM, with acceptance criteria of endpoint isolation within 30 seconds, playbook execution within 60 seconds, and full incident lifecycle closure including post-incident review within 4 hours of detection. Rationale: The response pipeline spans EDR containment (REQ-007), SOAR playbook execution (REQ-004/005), and SOAR-to-EDR/NSM command interfaces (IFC-004, IFC-010). Without end-to-end response testing, individual subsystem tests may pass while the integrated containment workflow fails under realistic incident conditions. Quarterly tabletop plus semi-annual live test balances operational disruption against verification confidence. | Test | session-298, verification |
| VER-VER-METH-006 | The network security monitoring and identity monitoring subsystems SHALL be verified through quarterly sensor coverage audits confirming IDS deployment on all monitored segments at 10 Gbps aggregate, and through semi-annual UEBA accuracy assessments measuring false positive rate against a baseline of normal authentication patterns, with acceptance criteria of 100% segment coverage, PCAP retention of 72 hours minimum, and UEBA false positive rate not exceeding 5% of generated alerts. Rationale: Network monitoring (REQ-009) and identity monitoring (REQ-010) are passive detection subsystems whose effectiveness degrades silently — a missing sensor or drifted UEBA baseline produces no visible failure signal. Periodic coverage audits and accuracy assessments are the only way to maintain confidence that these subsystems are detecting threats across the full monitored surface. | Test | session-298, verification |
| VER-VER-METH-007 | The threat intelligence ingestion and enrichment pipeline SHALL be verified through monthly feed health checks confirming that all configured intelligence feeds are active and delivering indicators within specified latencies, and through quarterly enrichment accuracy tests measuring the proportion of SIEM alerts correctly enriched with TIP context, with acceptance criteria of at least 20 active feeds, indicator delivery within 5 minutes of publication, and enrichment coverage of at least 90% of correlated alerts containing at least one TIP-sourced IOC match. Rationale: The TIP subsystem (REQ-008) and its interfaces to SIEM (IFC-003) and SOAR (IFC-009) form a critical enrichment chain — without current intelligence, SIEM correlation operates on signatures alone and SOAR playbooks lack threat context for triage prioritisation. Feed health degrades silently (expired API keys, deprecated endpoints), so proactive verification is essential. | Test | session-298, verification |
| Ref | Document | Requirement |
|---|---|---|
| IFC-IFC-INTERNAL-008 | interface-requirements | The SOAR Platform SHALL create and update incident tickets in the IT Service Management system via a bidirectional REST ... |
| IFC-IFC-INTERNAL-009 | interface-requirements | The Threat Intelligence Platform SHALL expose a synchronous enrichment API to the SOAR Platform, accepting indicator que... |
| IFC-IFC-INTERNAL-010 | interface-requirements | The SOAR Platform SHALL issue network-level containment commands to the Network Security Monitoring Subsystem via an aut... |
| STK-STK-NEEDS-001 | stakeholder-requirements | The Cybersecurity Operations Centre SHALL detect cyber threats targeting the organisation's IT and OT infrastructure wit... |
| STK-STK-NEEDS-002 | stakeholder-requirements | The Cybersecurity Operations Centre SHALL contain confirmed security incidents within 60 minutes of detection for critic... |
| STK-STK-NEEDS-003 | stakeholder-requirements | The Cybersecurity Operations Centre SHALL comply with NIST Cybersecurity Framework, ISO 27001, and all applicable sector... |
| STK-STK-NEEDS-004 | stakeholder-requirements | The Cybersecurity Operations Centre SHALL operate continuously 24 hours per day, 7 days per week, 365 days per year with... |
| STK-STK-NEEDS-005 | stakeholder-requirements | The Cybersecurity Operations Centre SHALL maintain visibility across all organisational IT assets, OT systems, cloud wor... |
| STK-STK-NEEDS-006 | stakeholder-requirements | The Cybersecurity Operations Centre SHALL incorporate current cyber threat intelligence from at least 10 independent sou... |
| STK-STK-NEEDS-007 | stakeholder-requirements | The Cybersecurity Operations Centre SHALL generate regulatory breach notifications within the timeframes mandated by app... |
| STK-STK-NEEDS-008 | stakeholder-requirements | The Cybersecurity Operations Centre SHALL support monitoring of up to 100,000 endpoints and 500 network segments without... |
| SUB-SUB-SIEM-003 | unassigned | The SIEM Engine storage tier SHALL support a minimum hot storage capacity of 50 TB with indexed full-text search returni... |
| SUB-SUB-SIEM-003 | subsystem-requirements | When the SIEM Engine is unavailable or operating at degraded capacity, the SOAR Platform SHALL activate direct alert ing... |
| SUB-SUB-SIEM-004 | unassigned | The SOAR Platform playbook engine SHALL support at least 50 automated response playbooks covering the top 20 MITRE ATT&C... |
| SUB-SUB-SIEM-004 | subsystem-requirements | The SOC Facility Infrastructure SHALL maintain a documented disaster recovery capability including a secondary SOC site ... |
| SUB-SUB-SIEM-005 | unassigned | The SOAR Platform case management module SHALL maintain a complete incident timeline for each case, linking all associat... |
| SUB-SUB-SIEM-006 | unassigned | The Endpoint Detection and Response agent SHALL collect process creation, file modification, registry change, network co... |
| SUB-SUB-SIEM-007 | unassigned | The Endpoint Detection and Response Subsystem SHALL execute endpoint isolation (network quarantine) within 30 seconds of... |
| SUB-SUB-SIEM-008 | unassigned | The Threat Intelligence Platform SHALL deduplicate, score, and normalise indicators from all configured feeds within 5 m... |
| SUB-SUB-SIEM-009 | unassigned | The Network Security Monitoring Subsystem SHALL deploy IDS sensors on all monitored network segments with signature and ... |
| SUB-SUB-SIEM-010 | unassigned | The Identity and Access Monitoring Subsystem SHALL baseline normal authentication patterns per user entity across all mo... |
| SUB-SUB-SIEM-011 | unassigned | The Vulnerability Management System SHALL maintain a continuously updated asset inventory with at least 99% coverage of ... |
| SUB-SUB-SIEM-012 | unassigned | The Communications and Reporting Subsystem SHALL generate automated daily operational dashboards, weekly executive summa... |
| SUB-SUB-SIEM-013 | unassigned | The SOC Facility Infrastructure SHALL provide physical access control using multi-factor authentication (badge plus biom... |
| SYS-SYS-DETECT-001 | system-requirements | The SIEM Engine SHALL correlate ingested security events against detection rules and produce alerts within 120 seconds o... |
| SYS-SYS-DETECT-002 | system-requirements | The SIEM Engine SHALL sustain ingestion of at least 150,000 events per second at steady state and absorb bursts of up to... |
| SYS-SYS-DETECT-003 | system-requirements | The Endpoint Detection and Response subsystem SHALL execute remote endpoint containment actions (network isolation, proc... |
| SYS-SYS-DETECT-004 | system-requirements | The SOAR Platform SHALL execute automated response playbooks for known alert categories within 60 seconds of alert recei... |
| SYS-SYS-DETECT-005 | system-requirements | The Threat Intelligence Platform SHALL ingest and normalise indicators from at least 20 intelligence feeds using STIX/TA... |
| SYS-SYS-DETECT-006 | system-requirements | The Cybersecurity Operations Centre SHALL retain searchable security event logs for a minimum of 90 days in hot storage ... |
| SYS-SYS-DETECT-007 | system-requirements | The Vulnerability Management System SHALL scan 100% of IT assets on a rolling 7-day cycle and 100% of OT assets on a rol... |
| SYS-SYS-DETECT-008 | system-requirements | The Cybersecurity Operations Centre platform SHALL achieve 99.95% availability measured monthly, with no single point of... |
| SYS-SYS-DETECT-009 | system-requirements | The Communications and Reporting Subsystem SHALL generate pre-populated regulatory breach notification documents within ... |
| SYS-SYS-DETECT-010 | system-requirements | The Network Security Monitoring Subsystem SHALL capture full packet data on all monitored network segments at aggregate ... |
| SYS-SYS-DETECT-011 | system-requirements | The Identity and Access Monitoring Subsystem SHALL perform User and Entity Behaviour Analytics across all Active Directo... |
| SYS-SYS-DETECT-012 | system-requirements | The SOC Facility Infrastructure SHALL provide uninterruptible power for a minimum of 72 hours using UPS and backup gener... |
| SYS-SYS-DETECT-015 | system-requirements | The Cybersecurity Operations Centre SHALL encrypt all security event data in transit using TLS 1.3 or later on all inter... |
| SYS-SYS-DETECT-016 | system-requirements | The Cybersecurity Operations Centre SHALL maintain a documented disaster recovery capability with a recovery time object... |
| SYS-SYS-DETECT-017 | system-requirements | When the SIEM Engine becomes unavailable or operates at degraded capacity, the Cybersecurity Operations Centre SHALL mai... |
| SYS-SYS-DETECT-018 | system-requirements | The Cybersecurity Operations Centre SHALL maintain a minimum staffing level of 2 Tier-1 analysts and 1 Tier-2 analyst pe... |
| VER-VER-METH-002 | verification-plan | The SIEM Engine failover capability SHALL be verified through semi-annual failover exercises that simulate primary SIEM ... |
| VER-VER-METH-003 | verification-plan | The end-to-end detection and response pipeline from event ingestion through SIEM correlation to SOAR playbook execution ... |
| VER-VER-METH-004 | verification-plan | The data retention and regulatory compliance capabilities SHALL be verified through quarterly audits confirming that hot... |