SlideShare a Scribd company logo

Sample penetration testing agreement for core infrastructure

David Sweigert
David Sweigert

The document formalizes a relationship between a tester and entity owning a target of evaluation (TOE) for penetration testing. It outlines that the tester will evaluate security vulnerabilities in the TOE's IT infrastructure using industry standard tools and techniques. It also describes that a scope statement and rules of engagement document will define the parameters and guidelines for the testing. Relevant personnel for both parties are identified along with their roles and responsibilities for coordination.

1 of 2
DAVE BSWEIGERT, CISA, CISSP, HCISSP, PMP, SEC+ PEN TESTING ENGAGEMENTT SAMPLE PENETRATION TESTING ENGAGEMENT LETTER PARTIES This document formalizes the relationship between the two parties; herein known as the TESTER and the entity that owns and operates the TARGET OF EVALUATION (TOE). THE TESTER is a consulting and professional services entity that shall perform an operational check of the TOE. This operational check shall be focused on the security vulnerabilities embedded with the Information Technology (IT) core infrastructure of the TOE. The TESTER will use tools as identified as leading industry practices to measure the vulnerabilities associated with various configurations of IT core infrastructure with the TOE. THE TOE OWNER is the entity that leases, operates, controls or maintains the TOE. The TOE OWNER warrants that it has the authority and responsibility to authorize testing of the TOE. Such testing may include evaluations of the vulnerabilities that may reside in IT core infrastructure appliances, servers, cloud based systems, etc. SCOPE STATEMENT The parties agree to define a mutual SCOPE STATEMENT that shall define the general parameters of the testing to be executed. Such parameters should define tangible and measurable boundaries that carve out the IT core infrastructure that shall comprise the TOE. For example, Internet Protocol (IP) address ranges, identification of servers (by system name and IP address), exposed web servers to be tested for application level vulnerabilities, identification of infrastructure appliances that shall be test for routing and networking vulnerabilities, wireless (Wi-Fi) access points that shall be test, remote access points (RADIUS, dial-in, VPN, etc.). The scope statement shall identify associated and ancillary infrastructure that is relied upon by the TOE owner; but, may not have formal permission to commit to such testing. Example of ancillary infrastructure may include supporting Internet-based domain name services (DNS), I.P. routing, application-level firewalls maintained to filter out Web-based attacks, infrastructure maintained by an Internet Services Provider (ISP) or cable company, etc. All such infrastructure that is not under the direct control of the TOE OWNER shall be identified and included in the scope statement to allow for arrangements to be made with such infrastructure providers. RULES OF ENGAGEMENT A separate formalized document shall be agreed upon that describes the rules of engagement (ROE) that shall govern the execution. ROE shall cover the impact and magnitude of testing, types of testing to be conducted, interactions with TOE OWNERS employees, consultants and ancillary experts. Thresholds of activity to include when notification to the TOE OWNER Project manager is necessary, etc. ROE also provides the protocols for addressing concerns and issue of a human resource and personnel issue (cooperation of employees, social engineering tests, red team tests, etc.). ©2015
DAVE BSWEIGERT, CISA, CISSP, HCISSP, PMP, SEC+ PEN TESTING ENGAGEMENTT IDENTIFICATION OF PROJECT PERSONNEL Relevant personnel shall be identified with their roles and responsibilities clarified. An example of such roles are included below: TOE PROJECT MANAGER Telephone, cell, text, email Provide overall coordination and scheduling of resources PEN TESTER LEAD Telephone, cell, text, email Lead interface on technical issues regarding test Identification of personnel shall also include alternates and back-ups to provide coverage for individuals that may be absent, in training, on vacation, etc. Escalation procedures should also outline the notification of relevant personnel during the testing process. This may include security officer, continuity of operations officer, data center manager, etc. BEST INDUSTRY PRACTICES THE TESTER shall rely on those industry practices that appear to be in common use to identify vulnerabilities within the IT core infrastructure of the TOE OWNER. Such practices are defined by the National Institute of Standards and Technology (NIST), Payment card Industry Data Security Standard (PCIDSS), etc. Tools and techniques will be relied upon that appear to have a stable basis of usage among the industry and have been vetted by other professional groups and practitioners. Such tools may include NMAP, HPING, SNORT, JOHN THE RIPPER, NETCAT, etc. EXPLOITATION OF SYSTEMS Pursuant to the scope stamen and ROE, the TESTER may be required to exploits the operating systems (O/S) of identified platforms. This may require the exploitation of the Windows O/S, LINUX/UNIX O/S, etc. TESTER shall take reasonable precautions to limit the acquisition of sensitive data by testing personnel after a successful exploit; e.g. review, recording, editing and/or capture of Protected Health Information (PHI) or credit card data. THE TOE OWNER agrees that such acquisition (reading, capture, review, observation) of protected and sensitive data represents limited an incidental exposure of the data. Such limitation and incidental exposure describes what sensitive data might be observed by a service technician, system administrator, network technician, etc. THE TOE OWNER represents and warrants that such inadvertence, incidental exposure shall not result in the reporting of the TESTER to the Office of Civil Rights (U.S. Department of Health and Human Services [DHHS]) as an entity that breached and/or malicious acquired PHI. INCIDENT ESCALATION THE TOE OWNERS will ensure that appropriate managers and directors that oversee the operations of critical applications are involved and notified of such testing activities. THE TOE OWNER will make arrangements for emergency fallback and restoral activities in the event that testing activities directly and/or indirectly cause degradation to services, response times, data integrity and/or other measurements of degraded service. THE TOE OWNER will have policies and procedures in place that provide for the emergency escalation and incident management of systems that appear to be impacted (directly or indirectly) buy testing activities. © 2015
Ad

Recommended

Sap template 050312
Sap template 050312Sap template 050312
Sap template 050312
GovCloud Network
 
Infosec Audit Lecture_4
Infosec Audit Lecture_4Infosec Audit Lecture_4
Infosec Audit Lecture_4
Obrina Candra, CISA, ISMS-LA
 
Adarsh Resume ISO27001
Adarsh Resume ISO27001Adarsh Resume ISO27001
Adarsh Resume ISO27001
Adarsh HIRENALLUR
 
NIST Risk Management Framework (RMF)
NIST Risk Management Framework (RMF)NIST Risk Management Framework (RMF)
NIST Risk Management Framework (RMF)
James W. De Rienzo
 
ISO 27001 (v2013) Checklist
ISO 27001 (v2013) ChecklistISO 27001 (v2013) Checklist
ISO 27001 (v2013) Checklist
Ivan Piskunov
 
Cyber security specialist performance appraisal
Cyber security specialist performance appraisalCyber security specialist performance appraisal
Cyber security specialist performance appraisal
codyfred747
 
ISMS Part I
ISMS Part IISMS Part I
ISMS Part I
khushboo
 
ISO 27001 Benefits
ISO 27001 BenefitsISO 27001 Benefits
ISO 27001 Benefits
Dejan Kosutic
 
Steps in it audit
Steps in it auditSteps in it audit
Steps in it audit
kinjalmkothari92
 
Understanding and complying with RBI’s Cyber security guidelines for Email sy...
Understanding and complying with RBI’s Cyber security guidelines for Email sy...Understanding and complying with RBI’s Cyber security guidelines for Email sy...
Understanding and complying with RBI’s Cyber security guidelines for Email sy...
Vaultastic
 
Iso 27001 Checklist
Iso 27001 ChecklistIso 27001 Checklist
Iso 27001 Checklist
Craig Willetts ISO Expert
 
Cyber Security roadmap.pptx
Cyber Security roadmap.pptxCyber Security roadmap.pptx
Cyber Security roadmap.pptx
SandeepK707540
 
Resume-DPITVlinkedin
Resume-DPITVlinkedinResume-DPITVlinkedin
Resume-DPITVlinkedin
Deep Consulting
 
NQA-ISO-27001-Implementation-Guide.pdf..
NQA-ISO-27001-Implementation-Guide.pdf..NQA-ISO-27001-Implementation-Guide.pdf..
NQA-ISO-27001-Implementation-Guide.pdf..
ssuserc911b3
 
PCI DSS 2.0 Detailed Introduction
PCI DSS 2.0 Detailed IntroductionPCI DSS 2.0 Detailed Introduction
PCI DSS 2.0 Detailed Introduction
ControlCase
 
Cis controls v8_guide (1)
Cis controls v8_guide (1)Cis controls v8_guide (1)
Cis controls v8_guide (1)
MHumaamAl
 
Info Security - Vulnerability Assessment
Info Security - Vulnerability AssessmentInfo Security - Vulnerability Assessment
Info Security - Vulnerability Assessment
Marcelo Silva
 
13 information system audit of banks
13 information system audit of banks13 information system audit of banks
13 information system audit of banks
spandane
 
Cybersecurity roadmap : Global healthcare security architecture
Cybersecurity roadmap : Global healthcare security architectureCybersecurity roadmap : Global healthcare security architecture
Cybersecurity roadmap : Global healthcare security architecture
Priyanka Aash
 
ISO 27001_2022 What has changed 2.0 for ISACA.pdf
ISO 27001_2022 What has changed 2.0 for ISACA.pdfISO 27001_2022 What has changed 2.0 for ISACA.pdf
ISO 27001_2022 What has changed 2.0 for ISACA.pdf
Andrey Prozorov, CISM, CIPP/E, CDPSE. LA 27001
 
2022 Webinar - ISO 27001 Certification.pdf
2022 Webinar - ISO 27001 Certification.pdf2022 Webinar - ISO 27001 Certification.pdf
2022 Webinar - ISO 27001 Certification.pdf
ControlCase
 
Planning for security and security audit process
Planning for security and security audit processPlanning for security and security audit process
Planning for security and security audit process
Divya Tiwari
 
Building an effective Information Security Roadmap
Building an effective Information Security RoadmapBuilding an effective Information Security Roadmap
Building an effective Information Security Roadmap
Elliott Franklin
 
Information System Architecture and Audit Control Lecture 1
Information System Architecture and Audit Control Lecture 1Information System Architecture and Audit Control Lecture 1
Information System Architecture and Audit Control Lecture 1
Yasir Khan
 
ISO 27001 - information security user awareness training presentation -part 2
ISO 27001 - information security user awareness training presentation -part 2ISO 27001 - information security user awareness training presentation -part 2
ISO 27001 - information security user awareness training presentation -part 2
Tanmay Shinde
 
PCI DSS
PCI DSSPCI DSS
PCI DSS
Duy Do Phan
 
It security-plan-template
It security-plan-templateIt security-plan-template
It security-plan-template
jbmills1634
 
Introduction to Cyber Resilience
Introduction to Cyber ResilienceIntroduction to Cyber Resilience
Introduction to Cyber Resilience
Peter Wood
 
17-MOD 6 Conducting Security Audits & MOD 7 Information Security Audit Prepar...
17-MOD 6 Conducting Security Audits & MOD 7 Information Security Audit Prepar...17-MOD 6 Conducting Security Audits & MOD 7 Information Security Audit Prepar...
17-MOD 6 Conducting Security Audits & MOD 7 Information Security Audit Prepar...
abhichowdary16
 
pdfcoffee.com_iso-iec-27002-implementation-guidance-and-metrics-pdf-free.pdf
pdfcoffee.com_iso-iec-27002-implementation-guidance-and-metrics-pdf-free.pdfpdfcoffee.com_iso-iec-27002-implementation-guidance-and-metrics-pdf-free.pdf
pdfcoffee.com_iso-iec-27002-implementation-guidance-and-metrics-pdf-free.pdf
Elyes ELEBRI
 
Ad

More Related Content

What's hot (20)

Steps in it audit
Steps in it auditSteps in it audit
Steps in it audit
kinjalmkothari92
 
Understanding and complying with RBI’s Cyber security guidelines for Email sy...
Understanding and complying with RBI’s Cyber security guidelines for Email sy...Understanding and complying with RBI’s Cyber security guidelines for Email sy...
Understanding and complying with RBI’s Cyber security guidelines for Email sy...
Vaultastic
 
Iso 27001 Checklist
Iso 27001 ChecklistIso 27001 Checklist
Iso 27001 Checklist
Craig Willetts ISO Expert
 
Cyber Security roadmap.pptx
Cyber Security roadmap.pptxCyber Security roadmap.pptx
Cyber Security roadmap.pptx
SandeepK707540
 
Resume-DPITVlinkedin
Resume-DPITVlinkedinResume-DPITVlinkedin
Resume-DPITVlinkedin
Deep Consulting
 
NQA-ISO-27001-Implementation-Guide.pdf..
NQA-ISO-27001-Implementation-Guide.pdf..NQA-ISO-27001-Implementation-Guide.pdf..
NQA-ISO-27001-Implementation-Guide.pdf..
ssuserc911b3
 
PCI DSS 2.0 Detailed Introduction
PCI DSS 2.0 Detailed IntroductionPCI DSS 2.0 Detailed Introduction
PCI DSS 2.0 Detailed Introduction
ControlCase
 
Cis controls v8_guide (1)
Cis controls v8_guide (1)Cis controls v8_guide (1)
Cis controls v8_guide (1)
MHumaamAl
 
Info Security - Vulnerability Assessment
Info Security - Vulnerability AssessmentInfo Security - Vulnerability Assessment
Info Security - Vulnerability Assessment
Marcelo Silva
 
13 information system audit of banks
13 information system audit of banks13 information system audit of banks
13 information system audit of banks
spandane
 
Cybersecurity roadmap : Global healthcare security architecture
Cybersecurity roadmap : Global healthcare security architectureCybersecurity roadmap : Global healthcare security architecture
Cybersecurity roadmap : Global healthcare security architecture
Priyanka Aash
 
ISO 27001_2022 What has changed 2.0 for ISACA.pdf
ISO 27001_2022 What has changed 2.0 for ISACA.pdfISO 27001_2022 What has changed 2.0 for ISACA.pdf
ISO 27001_2022 What has changed 2.0 for ISACA.pdf
Andrey Prozorov, CISM, CIPP/E, CDPSE. LA 27001
 
2022 Webinar - ISO 27001 Certification.pdf
2022 Webinar - ISO 27001 Certification.pdf2022 Webinar - ISO 27001 Certification.pdf
2022 Webinar - ISO 27001 Certification.pdf
ControlCase
 
Planning for security and security audit process
Planning for security and security audit processPlanning for security and security audit process
Planning for security and security audit process
Divya Tiwari
 
Building an effective Information Security Roadmap
Building an effective Information Security RoadmapBuilding an effective Information Security Roadmap
Building an effective Information Security Roadmap
Elliott Franklin
 
Information System Architecture and Audit Control Lecture 1
Information System Architecture and Audit Control Lecture 1Information System Architecture and Audit Control Lecture 1
Information System Architecture and Audit Control Lecture 1
Yasir Khan
 
ISO 27001 - information security user awareness training presentation -part 2
ISO 27001 - information security user awareness training presentation -part 2ISO 27001 - information security user awareness training presentation -part 2
ISO 27001 - information security user awareness training presentation -part 2
Tanmay Shinde
 
PCI DSS
PCI DSSPCI DSS
PCI DSS
Duy Do Phan
 
It security-plan-template
It security-plan-templateIt security-plan-template
It security-plan-template
jbmills1634
 
Introduction to Cyber Resilience
Introduction to Cyber ResilienceIntroduction to Cyber Resilience
Introduction to Cyber Resilience
Peter Wood
 
Steps in it audit
Steps in it auditSteps in it audit
Steps in it audit
kinjalmkothari92
 
Understanding and complying with RBI’s Cyber security guidelines for Email sy...
Understanding and complying with RBI’s Cyber security guidelines for Email sy...Understanding and complying with RBI’s Cyber security guidelines for Email sy...
Understanding and complying with RBI’s Cyber security guidelines for Email sy...
Vaultastic
 
Iso 27001 Checklist
Iso 27001 ChecklistIso 27001 Checklist
Iso 27001 Checklist
Craig Willetts ISO Expert
 
Cyber Security roadmap.pptx
Cyber Security roadmap.pptxCyber Security roadmap.pptx
Cyber Security roadmap.pptx
SandeepK707540
 
Resume-DPITVlinkedin
Resume-DPITVlinkedinResume-DPITVlinkedin
Resume-DPITVlinkedin
Deep Consulting
 
NQA-ISO-27001-Implementation-Guide.pdf..
NQA-ISO-27001-Implementation-Guide.pdf..NQA-ISO-27001-Implementation-Guide.pdf..
NQA-ISO-27001-Implementation-Guide.pdf..
ssuserc911b3
 
PCI DSS 2.0 Detailed Introduction
PCI DSS 2.0 Detailed IntroductionPCI DSS 2.0 Detailed Introduction
PCI DSS 2.0 Detailed Introduction
ControlCase
 
Cis controls v8_guide (1)
Cis controls v8_guide (1)Cis controls v8_guide (1)
Cis controls v8_guide (1)
MHumaamAl
 
Info Security - Vulnerability Assessment
Info Security - Vulnerability AssessmentInfo Security - Vulnerability Assessment
Info Security - Vulnerability Assessment
Marcelo Silva
 
13 information system audit of banks
13 information system audit of banks13 information system audit of banks
13 information system audit of banks
spandane
 
Cybersecurity roadmap : Global healthcare security architecture
Cybersecurity roadmap : Global healthcare security architectureCybersecurity roadmap : Global healthcare security architecture
Cybersecurity roadmap : Global healthcare security architecture
Priyanka Aash
 
ISO 27001_2022 What has changed 2.0 for ISACA.pdf
ISO 27001_2022 What has changed 2.0 for ISACA.pdfISO 27001_2022 What has changed 2.0 for ISACA.pdf
ISO 27001_2022 What has changed 2.0 for ISACA.pdf
Andrey Prozorov, CISM, CIPP/E, CDPSE. LA 27001
 
2022 Webinar - ISO 27001 Certification.pdf
2022 Webinar - ISO 27001 Certification.pdf2022 Webinar - ISO 27001 Certification.pdf
2022 Webinar - ISO 27001 Certification.pdf
ControlCase
 
Planning for security and security audit process
Planning for security and security audit processPlanning for security and security audit process
Planning for security and security audit process
Divya Tiwari
 
Building an effective Information Security Roadmap
Building an effective Information Security RoadmapBuilding an effective Information Security Roadmap
Building an effective Information Security Roadmap
Elliott Franklin
 
Information System Architecture and Audit Control Lecture 1
Information System Architecture and Audit Control Lecture 1Information System Architecture and Audit Control Lecture 1
Information System Architecture and Audit Control Lecture 1
Yasir Khan
 
ISO 27001 - information security user awareness training presentation -part 2
ISO 27001 - information security user awareness training presentation -part 2ISO 27001 - information security user awareness training presentation -part 2
ISO 27001 - information security user awareness training presentation -part 2
Tanmay Shinde
 
PCI DSS
PCI DSSPCI DSS
PCI DSS
Duy Do Phan
 
It security-plan-template
It security-plan-templateIt security-plan-template
It security-plan-template
jbmills1634
 
Introduction to Cyber Resilience
Introduction to Cyber ResilienceIntroduction to Cyber Resilience
Introduction to Cyber Resilience
Peter Wood
 

Similar to Sample penetration testing agreement for core infrastructure (20)

17-MOD 6 Conducting Security Audits & MOD 7 Information Security Audit Prepar...
17-MOD 6 Conducting Security Audits & MOD 7 Information Security Audit Prepar...17-MOD 6 Conducting Security Audits & MOD 7 Information Security Audit Prepar...
17-MOD 6 Conducting Security Audits & MOD 7 Information Security Audit Prepar...
abhichowdary16
 
pdfcoffee.com_iso-iec-27002-implementation-guidance-and-metrics-pdf-free.pdf
pdfcoffee.com_iso-iec-27002-implementation-guidance-and-metrics-pdf-free.pdfpdfcoffee.com_iso-iec-27002-implementation-guidance-and-metrics-pdf-free.pdf
pdfcoffee.com_iso-iec-27002-implementation-guidance-and-metrics-pdf-free.pdf
Elyes ELEBRI
 
Computer Security Principles And Practice 2nd Edition Stallings Solutions Manual
Computer Security Principles And Practice 2nd Edition Stallings Solutions ManualComputer Security Principles And Practice 2nd Edition Stallings Solutions Manual
Computer Security Principles And Practice 2nd Edition Stallings Solutions Manual
foritafryand
 
Iso 27001 metrics and implementation guide
Iso 27001 metrics and implementation guideIso 27001 metrics and implementation guide
Iso 27001 metrics and implementation guide
mfmurat
 
In what ways do you think the Elaboration Likelihood Model applies.docx
In what ways do you think the Elaboration Likelihood Model applies.docxIn what ways do you think the Elaboration Likelihood Model applies.docx
In what ways do you think the Elaboration Likelihood Model applies.docx
jaggernaoma
 
Computer Security Principles And Practice 2nd Edition Stallings Solutions Manual
Computer Security Principles And Practice 2nd Edition Stallings Solutions ManualComputer Security Principles And Practice 2nd Edition Stallings Solutions Manual
Computer Security Principles And Practice 2nd Edition Stallings Solutions Manual
akilelaija
 
AssignmentWhen a traffic camera is installed in a designated .docx
AssignmentWhen a traffic camera is installed in a designated .docxAssignmentWhen a traffic camera is installed in a designated .docx
AssignmentWhen a traffic camera is installed in a designated .docx
normanibarber20063
 
Eidws 107 information assurance
Eidws 107 information assuranceEidws 107 information assurance
Eidws 107 information assurance
IT2Alcorn
 
Supplier security assessment questionnaire
Supplier security assessment questionnaireSupplier security assessment questionnaire
Supplier security assessment questionnaire
Priyanka Aash
 
EHR meaningful use security risk assessment sample document
EHR meaningful use security risk assessment sample documentEHR meaningful use security risk assessment sample document
EHR meaningful use security risk assessment sample document
data brackets
 
Segregation of IT and OT Networks across organization
Segregation of IT and OT Networks across organizationSegregation of IT and OT Networks across organization
Segregation of IT and OT Networks across organization
NaveedQuadri3
 
INTRUSION DETECTION SYSTEM
INTRUSION DETECTION SYSTEMINTRUSION DETECTION SYSTEM
INTRUSION DETECTION SYSTEM
IRJET Journal
 
Systematic Review Automation in Cyber Security
Systematic Review Automation in Cyber SecuritySystematic Review Automation in Cyber Security
Systematic Review Automation in Cyber Security
YogeshIJTSRD
 
Permit to Work (PTW) Software: Permit Control, Isolation & Control, Job Hazar...
Permit to Work (PTW) Software: Permit Control, Isolation & Control, Job Hazar...Permit to Work (PTW) Software: Permit Control, Isolation & Control, Job Hazar...
Permit to Work (PTW) Software: Permit Control, Isolation & Control, Job Hazar...
ASK EHS Engineering & Consultants
 
Beyond NIST, CMMC certification_webinar.pdf
Beyond NIST, CMMC certification_webinar.pdfBeyond NIST, CMMC certification_webinar.pdf
Beyond NIST, CMMC certification_webinar.pdf
babuml691
 
Project 1CST630 Project ChecklistStudent Name DateNote This che
Project 1CST630 Project ChecklistStudent Name DateNote This cheProject 1CST630 Project ChecklistStudent Name DateNote This che
Project 1CST630 Project ChecklistStudent Name DateNote This che
davieec5f
 
Wireless Network Assessment | Network Security
Wireless Network Assessment | Network SecurityWireless Network Assessment | Network Security
Wireless Network Assessment | Network Security
Cyber Security Experts
 
Department of Defense
Department of DefenseDepartment of Defense
Department of Defense
Darius Dozier
 
Information Security
Information SecurityInformation Security
Information Security
chenpingling
 
Technology Audit
Technology AuditTechnology Audit
Technology Audit
Arish Roy
 
17-MOD 6 Conducting Security Audits & MOD 7 Information Security Audit Prepar...
17-MOD 6 Conducting Security Audits & MOD 7 Information Security Audit Prepar...17-MOD 6 Conducting Security Audits & MOD 7 Information Security Audit Prepar...
17-MOD 6 Conducting Security Audits & MOD 7 Information Security Audit Prepar...
abhichowdary16
 
pdfcoffee.com_iso-iec-27002-implementation-guidance-and-metrics-pdf-free.pdf
pdfcoffee.com_iso-iec-27002-implementation-guidance-and-metrics-pdf-free.pdfpdfcoffee.com_iso-iec-27002-implementation-guidance-and-metrics-pdf-free.pdf
pdfcoffee.com_iso-iec-27002-implementation-guidance-and-metrics-pdf-free.pdf
Elyes ELEBRI
 
Computer Security Principles And Practice 2nd Edition Stallings Solutions Manual
Computer Security Principles And Practice 2nd Edition Stallings Solutions ManualComputer Security Principles And Practice 2nd Edition Stallings Solutions Manual
Computer Security Principles And Practice 2nd Edition Stallings Solutions Manual
foritafryand
 
Iso 27001 metrics and implementation guide
Iso 27001 metrics and implementation guideIso 27001 metrics and implementation guide
Iso 27001 metrics and implementation guide
mfmurat
 
In what ways do you think the Elaboration Likelihood Model applies.docx
In what ways do you think the Elaboration Likelihood Model applies.docxIn what ways do you think the Elaboration Likelihood Model applies.docx
In what ways do you think the Elaboration Likelihood Model applies.docx
jaggernaoma
 
Computer Security Principles And Practice 2nd Edition Stallings Solutions Manual
Computer Security Principles And Practice 2nd Edition Stallings Solutions ManualComputer Security Principles And Practice 2nd Edition Stallings Solutions Manual
Computer Security Principles And Practice 2nd Edition Stallings Solutions Manual
akilelaija
 
AssignmentWhen a traffic camera is installed in a designated .docx
AssignmentWhen a traffic camera is installed in a designated .docxAssignmentWhen a traffic camera is installed in a designated .docx
AssignmentWhen a traffic camera is installed in a designated .docx
normanibarber20063
 
Eidws 107 information assurance
Eidws 107 information assuranceEidws 107 information assurance
Eidws 107 information assurance
IT2Alcorn
 
Supplier security assessment questionnaire
Supplier security assessment questionnaireSupplier security assessment questionnaire
Supplier security assessment questionnaire
Priyanka Aash
 
EHR meaningful use security risk assessment sample document
EHR meaningful use security risk assessment sample documentEHR meaningful use security risk assessment sample document
EHR meaningful use security risk assessment sample document
data brackets
 
Segregation of IT and OT Networks across organization
Segregation of IT and OT Networks across organizationSegregation of IT and OT Networks across organization
Segregation of IT and OT Networks across organization
NaveedQuadri3
 
INTRUSION DETECTION SYSTEM
INTRUSION DETECTION SYSTEMINTRUSION DETECTION SYSTEM
INTRUSION DETECTION SYSTEM
IRJET Journal
 
Systematic Review Automation in Cyber Security
Systematic Review Automation in Cyber SecuritySystematic Review Automation in Cyber Security
Systematic Review Automation in Cyber Security
YogeshIJTSRD
 
Permit to Work (PTW) Software: Permit Control, Isolation & Control, Job Hazar...
Permit to Work (PTW) Software: Permit Control, Isolation & Control, Job Hazar...Permit to Work (PTW) Software: Permit Control, Isolation & Control, Job Hazar...
Permit to Work (PTW) Software: Permit Control, Isolation & Control, Job Hazar...
ASK EHS Engineering & Consultants
 
Beyond NIST, CMMC certification_webinar.pdf
Beyond NIST, CMMC certification_webinar.pdfBeyond NIST, CMMC certification_webinar.pdf
Beyond NIST, CMMC certification_webinar.pdf
babuml691
 
Project 1CST630 Project ChecklistStudent Name DateNote This che
Project 1CST630 Project ChecklistStudent Name DateNote This cheProject 1CST630 Project ChecklistStudent Name DateNote This che
Project 1CST630 Project ChecklistStudent Name DateNote This che
davieec5f
 
Wireless Network Assessment | Network Security
Wireless Network Assessment | Network SecurityWireless Network Assessment | Network Security
Wireless Network Assessment | Network Security
Cyber Security Experts
 
Department of Defense
Department of DefenseDepartment of Defense
Department of Defense
Darius Dozier
 
Information Security
Information SecurityInformation Security
Information Security
chenpingling
 
Technology Audit
Technology AuditTechnology Audit
Technology Audit
Arish Roy
 
Ad

More from David Sweigert (20)

The hacking methods of the Singularity Event doomsday cult (TYLER A.I.)
The hacking methods of the Singularity Event doomsday cult (TYLER A.I.)The hacking methods of the Singularity Event doomsday cult (TYLER A.I.)
The hacking methods of the Singularity Event doomsday cult (TYLER A.I.)
David Sweigert
 
Law Enforcement Cyber Incident Reporting
Law Enforcement Cyber Incident Reporting Law Enforcement Cyber Incident Reporting
Law Enforcement Cyber Incident Reporting
David Sweigert
 
Sample Network Analysis Report based on Wireshark Analysis
Sample Network Analysis Report based on Wireshark AnalysisSample Network Analysis Report based on Wireshark Analysis
Sample Network Analysis Report based on Wireshark Analysis
David Sweigert
 
National Cyber Security Awareness Month poster
National Cyber Security Awareness Month posterNational Cyber Security Awareness Month poster
National Cyber Security Awareness Month poster
David Sweigert
 
Department of Defense standard 8570 - CompTia Advanced Security Practitioner
Department of Defense standard 8570 - CompTia Advanced Security Practitioner Department of Defense standard 8570 - CompTia Advanced Security Practitioner
Department of Defense standard 8570 - CompTia Advanced Security Practitioner
David Sweigert
 
National Cyber Security Awareness Month - October 2017
National Cyber Security Awareness Month - October 2017National Cyber Security Awareness Month - October 2017
National Cyber Security Awareness Month - October 2017
David Sweigert
 
California Attorney General Notification Penal Code 646.9
California Attorney General Notification Penal Code 646.9California Attorney General Notification Penal Code 646.9
California Attorney General Notification Penal Code 646.9
David Sweigert
 
Congressional support of Ethical Hacking and Cyber Security
Congressional support of Ethical Hacking and Cyber SecurityCongressional support of Ethical Hacking and Cyber Security
Congressional support of Ethical Hacking and Cyber Security
David Sweigert
 
EXAM NOTES for DOD Standard 8570 CompTia Advanced Security Practitioner (CASP)
EXAM NOTES for DOD Standard 8570 CompTia Advanced Security Practitioner (CASP)EXAM NOTES for DOD Standard 8570 CompTia Advanced Security Practitioner (CASP)
EXAM NOTES for DOD Standard 8570 CompTia Advanced Security Practitioner (CASP)
David Sweigert
 
Application of Racketeering Law to Suppress CrowdStalking Threats
Application of Racketeering Law to Suppress CrowdStalking ThreatsApplication of Racketeering Law to Suppress CrowdStalking Threats
Application of Racketeering Law to Suppress CrowdStalking Threats
David Sweigert
 
Canada Communications Security Establishment - Threat Vector Chart
Canada Communications Security Establishment - Threat Vector ChartCanada Communications Security Establishment - Threat Vector Chart
Canada Communications Security Establishment - Threat Vector Chart
David Sweigert
 
Port of Charleston evacuation case study: The cognitive threat of conspiracy ...
Port of Charleston evacuation case study: The cognitive threat of conspiracy ...Port of Charleston evacuation case study: The cognitive threat of conspiracy ...
Port of Charleston evacuation case study: The cognitive threat of conspiracy ...
David Sweigert
 
Cyber Incident Response Team NIMS Public Comment
Cyber Incident Response Team NIMS Public CommentCyber Incident Response Team NIMS Public Comment
Cyber Incident Response Team NIMS Public Comment
David Sweigert
 
Cyber Incident Response Team - NIMS - Public Comment
Cyber Incident Response Team - NIMS - Public CommentCyber Incident Response Team - NIMS - Public Comment
Cyber Incident Response Team - NIMS - Public Comment
David Sweigert
 
National Incident Management System (NIMS) NQS DRAFT
National Incident Management System (NIMS) NQS DRAFTNational Incident Management System (NIMS) NQS DRAFT
National Incident Management System (NIMS) NQS DRAFT
David Sweigert
 
National Incident Management System - NQS Public Feedback
National Incident Management System - NQS Public FeedbackNational Incident Management System - NQS Public Feedback
National Incident Management System - NQS Public Feedback
David Sweigert
 
Nursing meets Hacking -- Medical Computer Emergency Response Teams -- MedCERT
Nursing meets Hacking -- Medical Computer Emergency Response Teams -- MedCERTNursing meets Hacking -- Medical Computer Emergency Response Teams -- MedCERT
Nursing meets Hacking -- Medical Computer Emergency Response Teams -- MedCERT
David Sweigert
 
National Preparedness Goals 2015 2nd edition
National Preparedness Goals 2015 2nd editionNational Preparedness Goals 2015 2nd edition
National Preparedness Goals 2015 2nd edition
David Sweigert
 
Healthcare Sector-wide Disaster Prepardness Plan
Healthcare Sector-wide Disaster Prepardness PlanHealthcare Sector-wide Disaster Prepardness Plan
Healthcare Sector-wide Disaster Prepardness Plan
David Sweigert
 
Cyber Risk Assessment for the Emergency Services Sector - DHS
Cyber Risk Assessment for the Emergency Services Sector - DHSCyber Risk Assessment for the Emergency Services Sector - DHS
Cyber Risk Assessment for the Emergency Services Sector - DHS
David Sweigert
 
The hacking methods of the Singularity Event doomsday cult (TYLER A.I.)
The hacking methods of the Singularity Event doomsday cult (TYLER A.I.)The hacking methods of the Singularity Event doomsday cult (TYLER A.I.)
The hacking methods of the Singularity Event doomsday cult (TYLER A.I.)
David Sweigert
 
Law Enforcement Cyber Incident Reporting
Law Enforcement Cyber Incident Reporting Law Enforcement Cyber Incident Reporting
Law Enforcement Cyber Incident Reporting
David Sweigert
 
Sample Network Analysis Report based on Wireshark Analysis
Sample Network Analysis Report based on Wireshark AnalysisSample Network Analysis Report based on Wireshark Analysis
Sample Network Analysis Report based on Wireshark Analysis
David Sweigert
 
National Cyber Security Awareness Month poster
National Cyber Security Awareness Month posterNational Cyber Security Awareness Month poster
National Cyber Security Awareness Month poster
David Sweigert
 
Department of Defense standard 8570 - CompTia Advanced Security Practitioner
Department of Defense standard 8570 - CompTia Advanced Security Practitioner Department of Defense standard 8570 - CompTia Advanced Security Practitioner
Department of Defense standard 8570 - CompTia Advanced Security Practitioner
David Sweigert
 
National Cyber Security Awareness Month - October 2017
National Cyber Security Awareness Month - October 2017National Cyber Security Awareness Month - October 2017
National Cyber Security Awareness Month - October 2017
David Sweigert
 
California Attorney General Notification Penal Code 646.9
California Attorney General Notification Penal Code 646.9California Attorney General Notification Penal Code 646.9
California Attorney General Notification Penal Code 646.9
David Sweigert
 
Congressional support of Ethical Hacking and Cyber Security
Congressional support of Ethical Hacking and Cyber SecurityCongressional support of Ethical Hacking and Cyber Security
Congressional support of Ethical Hacking and Cyber Security
David Sweigert
 
EXAM NOTES for DOD Standard 8570 CompTia Advanced Security Practitioner (CASP)
EXAM NOTES for DOD Standard 8570 CompTia Advanced Security Practitioner (CASP)EXAM NOTES for DOD Standard 8570 CompTia Advanced Security Practitioner (CASP)
EXAM NOTES for DOD Standard 8570 CompTia Advanced Security Practitioner (CASP)
David Sweigert
 
Application of Racketeering Law to Suppress CrowdStalking Threats
Application of Racketeering Law to Suppress CrowdStalking ThreatsApplication of Racketeering Law to Suppress CrowdStalking Threats
Application of Racketeering Law to Suppress CrowdStalking Threats
David Sweigert
 
Canada Communications Security Establishment - Threat Vector Chart
Canada Communications Security Establishment - Threat Vector ChartCanada Communications Security Establishment - Threat Vector Chart
Canada Communications Security Establishment - Threat Vector Chart
David Sweigert
 
Port of Charleston evacuation case study: The cognitive threat of conspiracy ...
Port of Charleston evacuation case study: The cognitive threat of conspiracy ...Port of Charleston evacuation case study: The cognitive threat of conspiracy ...
Port of Charleston evacuation case study: The cognitive threat of conspiracy ...
David Sweigert
 
Cyber Incident Response Team NIMS Public Comment
Cyber Incident Response Team NIMS Public CommentCyber Incident Response Team NIMS Public Comment
Cyber Incident Response Team NIMS Public Comment
David Sweigert
 
Cyber Incident Response Team - NIMS - Public Comment
Cyber Incident Response Team - NIMS - Public CommentCyber Incident Response Team - NIMS - Public Comment
Cyber Incident Response Team - NIMS - Public Comment
David Sweigert
 
National Incident Management System (NIMS) NQS DRAFT
National Incident Management System (NIMS) NQS DRAFTNational Incident Management System (NIMS) NQS DRAFT
National Incident Management System (NIMS) NQS DRAFT
David Sweigert
 
National Incident Management System - NQS Public Feedback
National Incident Management System - NQS Public FeedbackNational Incident Management System - NQS Public Feedback
National Incident Management System - NQS Public Feedback
David Sweigert
 
Nursing meets Hacking -- Medical Computer Emergency Response Teams -- MedCERT
Nursing meets Hacking -- Medical Computer Emergency Response Teams -- MedCERTNursing meets Hacking -- Medical Computer Emergency Response Teams -- MedCERT
Nursing meets Hacking -- Medical Computer Emergency Response Teams -- MedCERT
David Sweigert
 
National Preparedness Goals 2015 2nd edition
National Preparedness Goals 2015 2nd editionNational Preparedness Goals 2015 2nd edition
National Preparedness Goals 2015 2nd edition
David Sweigert
 
Healthcare Sector-wide Disaster Prepardness Plan
Healthcare Sector-wide Disaster Prepardness PlanHealthcare Sector-wide Disaster Prepardness Plan
Healthcare Sector-wide Disaster Prepardness Plan
David Sweigert
 
Cyber Risk Assessment for the Emergency Services Sector - DHS
Cyber Risk Assessment for the Emergency Services Sector - DHSCyber Risk Assessment for the Emergency Services Sector - DHS
Cyber Risk Assessment for the Emergency Services Sector - DHS
David Sweigert
 
Ad

Recently uploaded (16)

cxbcxfzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzz7.pdf
cxbcxfzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzz7.pdfcxbcxfzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzz7.pdf
cxbcxfzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzz7.pdf
ssuser060b2e1
 
(Hosting PHising Sites) for Cryptography and network security
(Hosting PHising Sites) for Cryptography and network security(Hosting PHising Sites) for Cryptography and network security
(Hosting PHising Sites) for Cryptography and network security
aluacharya169
 
project_based_laaaaaaaaaaearning,kelompok 10.pptx
project_based_laaaaaaaaaaearning,kelompok 10.pptxproject_based_laaaaaaaaaaearning,kelompok 10.pptx
project_based_laaaaaaaaaaearning,kelompok 10.pptx
redzuriel13
 
AI Days 2025_GM1 : Interface in theage of AI
AI Days 2025_GM1 : Interface in theage of AIAI Days 2025_GM1 : Interface in theage of AI
AI Days 2025_GM1 : Interface in theage of AI
Prashant Singh
 
Reliable Vancouver Web Hosting with Local Servers & 24/7 Support
Reliable Vancouver Web Hosting with Local Servers & 24/7 SupportReliable Vancouver Web Hosting with Local Servers & 24/7 Support
Reliable Vancouver Web Hosting with Local Servers & 24/7 Support
steve198109
 
Determining Glass is mechanical textile
Determining Glass is mechanical textileDetermining Glass is mechanical textile
Determining Glass is mechanical textile
Azizul Hakim
 
Cyber Safety: security measure about navegating on internet.
Cyber Safety: security measure about navegating on internet.Cyber Safety: security measure about navegating on internet.
Cyber Safety: security measure about navegating on internet.
manugodinhogentil
 
Seminar.MAJor presentation for final project viva
Seminar.MAJor presentation for final project vivaSeminar.MAJor presentation for final project viva
Seminar.MAJor presentation for final project viva
daditya2501
 
5-Ways-To-Future-Proof-Your-SIEM-Securonix[1].pdf
5-Ways-To-Future-Proof-Your-SIEM-Securonix[1].pdf5-Ways-To-Future-Proof-Your-SIEM-Securonix[1].pdf
5-Ways-To-Future-Proof-Your-SIEM-Securonix[1].pdf
AndrHenrique77
 
Breaching The Perimeter - Our Most Impactful Bug Bounty Findings.pdf
Breaching The Perimeter - Our Most Impactful Bug Bounty Findings.pdfBreaching The Perimeter - Our Most Impactful Bug Bounty Findings.pdf
Breaching The Perimeter - Our Most Impactful Bug Bounty Findings.pdf
Nirmalthapa24
 
OSI TCP IP Protocol Layers description f
OSI TCP IP Protocol Layers description fOSI TCP IP Protocol Layers description f
OSI TCP IP Protocol Layers description f
cbr49917
 
Best web hosting Vancouver 2025 for you business
Best web hosting Vancouver 2025 for you businessBest web hosting Vancouver 2025 for you business
Best web hosting Vancouver 2025 for you business
steve198109
 
Organizing_Data_Grade4 how to organize.pptx
Organizing_Data_Grade4 how to organize.pptxOrganizing_Data_Grade4 how to organize.pptx
Organizing_Data_Grade4 how to organize.pptx
AllanGuevarra1
 
Top Vancouver Green Business Ideas for 2025 Powered by 4GoodHosting
Top Vancouver Green Business Ideas for 2025 Powered by 4GoodHostingTop Vancouver Green Business Ideas for 2025 Powered by 4GoodHosting
Top Vancouver Green Business Ideas for 2025 Powered by 4GoodHosting
steve198109
 
highend-srxseries-services-gateways-customer-presentation.pptx
highend-srxseries-services-gateways-customer-presentation.pptxhighend-srxseries-services-gateways-customer-presentation.pptx
highend-srxseries-services-gateways-customer-presentation.pptx
elhadjcheikhdiop
 
Grade 7 Google_Sites_Lesson creating website.pptx
Grade 7 Google_Sites_Lesson creating website.pptxGrade 7 Google_Sites_Lesson creating website.pptx
Grade 7 Google_Sites_Lesson creating website.pptx
AllanGuevarra1
 
cxbcxfzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzz7.pdf
cxbcxfzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzz7.pdfcxbcxfzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzz7.pdf
cxbcxfzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzz7.pdf
ssuser060b2e1
 
(Hosting PHising Sites) for Cryptography and network security
(Hosting PHising Sites) for Cryptography and network security(Hosting PHising Sites) for Cryptography and network security
(Hosting PHising Sites) for Cryptography and network security
aluacharya169
 
project_based_laaaaaaaaaaearning,kelompok 10.pptx
project_based_laaaaaaaaaaearning,kelompok 10.pptxproject_based_laaaaaaaaaaearning,kelompok 10.pptx
project_based_laaaaaaaaaaearning,kelompok 10.pptx
redzuriel13
 
AI Days 2025_GM1 : Interface in theage of AI
AI Days 2025_GM1 : Interface in theage of AIAI Days 2025_GM1 : Interface in theage of AI
AI Days 2025_GM1 : Interface in theage of AI
Prashant Singh
 
Reliable Vancouver Web Hosting with Local Servers & 24/7 Support
Reliable Vancouver Web Hosting with Local Servers & 24/7 SupportReliable Vancouver Web Hosting with Local Servers & 24/7 Support
Reliable Vancouver Web Hosting with Local Servers & 24/7 Support
steve198109
 
Determining Glass is mechanical textile
Determining Glass is mechanical textileDetermining Glass is mechanical textile
Determining Glass is mechanical textile
Azizul Hakim
 
Cyber Safety: security measure about navegating on internet.
Cyber Safety: security measure about navegating on internet.Cyber Safety: security measure about navegating on internet.
Cyber Safety: security measure about navegating on internet.
manugodinhogentil
 
Seminar.MAJor presentation for final project viva
Seminar.MAJor presentation for final project vivaSeminar.MAJor presentation for final project viva
Seminar.MAJor presentation for final project viva
daditya2501
 
5-Ways-To-Future-Proof-Your-SIEM-Securonix[1].pdf
5-Ways-To-Future-Proof-Your-SIEM-Securonix[1].pdf5-Ways-To-Future-Proof-Your-SIEM-Securonix[1].pdf
5-Ways-To-Future-Proof-Your-SIEM-Securonix[1].pdf
AndrHenrique77
 
Breaching The Perimeter - Our Most Impactful Bug Bounty Findings.pdf
Breaching The Perimeter - Our Most Impactful Bug Bounty Findings.pdfBreaching The Perimeter - Our Most Impactful Bug Bounty Findings.pdf
Breaching The Perimeter - Our Most Impactful Bug Bounty Findings.pdf
Nirmalthapa24
 
OSI TCP IP Protocol Layers description f
OSI TCP IP Protocol Layers description fOSI TCP IP Protocol Layers description f
OSI TCP IP Protocol Layers description f
cbr49917
 
Best web hosting Vancouver 2025 for you business
Best web hosting Vancouver 2025 for you businessBest web hosting Vancouver 2025 for you business
Best web hosting Vancouver 2025 for you business
steve198109
 
Organizing_Data_Grade4 how to organize.pptx
Organizing_Data_Grade4 how to organize.pptxOrganizing_Data_Grade4 how to organize.pptx
Organizing_Data_Grade4 how to organize.pptx
AllanGuevarra1
 
Top Vancouver Green Business Ideas for 2025 Powered by 4GoodHosting
Top Vancouver Green Business Ideas for 2025 Powered by 4GoodHostingTop Vancouver Green Business Ideas for 2025 Powered by 4GoodHosting
Top Vancouver Green Business Ideas for 2025 Powered by 4GoodHosting
steve198109
 
highend-srxseries-services-gateways-customer-presentation.pptx
highend-srxseries-services-gateways-customer-presentation.pptxhighend-srxseries-services-gateways-customer-presentation.pptx
highend-srxseries-services-gateways-customer-presentation.pptx
elhadjcheikhdiop
 
Grade 7 Google_Sites_Lesson creating website.pptx
Grade 7 Google_Sites_Lesson creating website.pptxGrade 7 Google_Sites_Lesson creating website.pptx
Grade 7 Google_Sites_Lesson creating website.pptx
AllanGuevarra1
 

Sample penetration testing agreement for core infrastructure

  • 1. DAVE BSWEIGERT, CISA, CISSP, HCISSP, PMP, SEC+ PEN TESTING ENGAGEMENTT SAMPLE PENETRATION TESTING ENGAGEMENT LETTER PARTIES This document formalizes the relationship between the two parties; herein known as the TESTER and the entity that owns and operates the TARGET OF EVALUATION (TOE). THE TESTER is a consulting and professional services entity that shall perform an operational check of the TOE. This operational check shall be focused on the security vulnerabilities embedded with the Information Technology (IT) core infrastructure of the TOE. The TESTER will use tools as identified as leading industry practices to measure the vulnerabilities associated with various configurations of IT core infrastructure with the TOE. THE TOE OWNER is the entity that leases, operates, controls or maintains the TOE. The TOE OWNER warrants that it has the authority and responsibility to authorize testing of the TOE. Such testing may include evaluations of the vulnerabilities that may reside in IT core infrastructure appliances, servers, cloud based systems, etc. SCOPE STATEMENT The parties agree to define a mutual SCOPE STATEMENT that shall define the general parameters of the testing to be executed. Such parameters should define tangible and measurable boundaries that carve out the IT core infrastructure that shall comprise the TOE. For example, Internet Protocol (IP) address ranges, identification of servers (by system name and IP address), exposed web servers to be tested for application level vulnerabilities, identification of infrastructure appliances that shall be test for routing and networking vulnerabilities, wireless (Wi-Fi) access points that shall be test, remote access points (RADIUS, dial-in, VPN, etc.). The scope statement shall identify associated and ancillary infrastructure that is relied upon by the TOE owner; but, may not have formal permission to commit to such testing. Example of ancillary infrastructure may include supporting Internet-based domain name services (DNS), I.P. routing, application-level firewalls maintained to filter out Web-based attacks, infrastructure maintained by an Internet Services Provider (ISP) or cable company, etc. All such infrastructure that is not under the direct control of the TOE OWNER shall be identified and included in the scope statement to allow for arrangements to be made with such infrastructure providers. RULES OF ENGAGEMENT A separate formalized document shall be agreed upon that describes the rules of engagement (ROE) that shall govern the execution. ROE shall cover the impact and magnitude of testing, types of testing to be conducted, interactions with TOE OWNERS employees, consultants and ancillary experts. Thresholds of activity to include when notification to the TOE OWNER Project manager is necessary, etc. ROE also provides the protocols for addressing concerns and issue of a human resource and personnel issue (cooperation of employees, social engineering tests, red team tests, etc.). ©2015
  • 2. DAVE BSWEIGERT, CISA, CISSP, HCISSP, PMP, SEC+ PEN TESTING ENGAGEMENTT IDENTIFICATION OF PROJECT PERSONNEL Relevant personnel shall be identified with their roles and responsibilities clarified. An example of such roles are included below: TOE PROJECT MANAGER Telephone, cell, text, email Provide overall coordination and scheduling of resources PEN TESTER LEAD Telephone, cell, text, email Lead interface on technical issues regarding test Identification of personnel shall also include alternates and back-ups to provide coverage for individuals that may be absent, in training, on vacation, etc. Escalation procedures should also outline the notification of relevant personnel during the testing process. This may include security officer, continuity of operations officer, data center manager, etc. BEST INDUSTRY PRACTICES THE TESTER shall rely on those industry practices that appear to be in common use to identify vulnerabilities within the IT core infrastructure of the TOE OWNER. Such practices are defined by the National Institute of Standards and Technology (NIST), Payment card Industry Data Security Standard (PCIDSS), etc. Tools and techniques will be relied upon that appear to have a stable basis of usage among the industry and have been vetted by other professional groups and practitioners. Such tools may include NMAP, HPING, SNORT, JOHN THE RIPPER, NETCAT, etc. EXPLOITATION OF SYSTEMS Pursuant to the scope stamen and ROE, the TESTER may be required to exploits the operating systems (O/S) of identified platforms. This may require the exploitation of the Windows O/S, LINUX/UNIX O/S, etc. TESTER shall take reasonable precautions to limit the acquisition of sensitive data by testing personnel after a successful exploit; e.g. review, recording, editing and/or capture of Protected Health Information (PHI) or credit card data. THE TOE OWNER agrees that such acquisition (reading, capture, review, observation) of protected and sensitive data represents limited an incidental exposure of the data. Such limitation and incidental exposure describes what sensitive data might be observed by a service technician, system administrator, network technician, etc. THE TOE OWNER represents and warrants that such inadvertence, incidental exposure shall not result in the reporting of the TESTER to the Office of Civil Rights (U.S. Department of Health and Human Services [DHHS]) as an entity that breached and/or malicious acquired PHI. INCIDENT ESCALATION THE TOE OWNERS will ensure that appropriate managers and directors that oversee the operations of critical applications are involved and notified of such testing activities. THE TOE OWNER will make arrangements for emergency fallback and restoral activities in the event that testing activities directly and/or indirectly cause degradation to services, response times, data integrity and/or other measurements of degraded service. THE TOE OWNER will have policies and procedures in place that provide for the emergency escalation and incident management of systems that appear to be impacted (directly or indirectly) buy testing activities. © 2015