Rules of Engagement - Checklist

Checkpoint

Contents

☐ Introduction

Description of this document.

☐ Contractor

Company name, contractor full name, job title.

☐ Penetration Testers

Company name, pentesters full name.

☐ Contact Information

Mailing addresses, e-mail addresses, and phone numbers of all client parties and penetration testers.

☐ Purpose

Description of the purpose for the conducted penetration test.

☐ Goals

Description of the goals that should be achieved with the penetration test.

☐ Scope

All IPs, domain names, URLs, or CIDR ranges.

☐ Lines of Communication

Online conferences or phone calls or face-to-face meetings, or via e-mail.

☐ Time Estimation

Start and end dates.

☐ Time of the Day to Test

Times of the day to test.

☐ Penetration Testing Type

External/Internal Penetration Test/Vulnerability Assessments/Social Engineering.

☐ Penetration Testing Locations

Description of how the connection to the client network is established.

☐ Methodologies

OSSTMM, PTES, OWASP, and others.

☐ Objectives / Flags

Users, specific files, specific information, and others.

☐ Evidence Handling

Encryption, secure protocols

☐ System Backups

Configuration files, databases, and others.

☐ Information Handling

Strong data encryption

☐ Incident Handling and Reporting

Cases for contact, pentest interruptions, type of reports

☐ Status Meetings

Frequency of meetings, dates, times, included parties

☐ Reporting

Type, target readers, focus

☐ Retesting

Start and end dates

☐ Disclaimers and Limitation of Liability

System damage, data loss

☐ Permission to Test

Signed contract, contractors agreement