Rules of Engagement - Checklist
Checkpoint
Contents
β Introduction
Description of this document.
β Contractor
Company name, contractor full name, job title.
β Penetration Testers
Company name, pentesters full name.
β Contact Information
Mailing addresses, e-mail addresses, and phone numbers of all client parties and penetration testers.
β Purpose
Description of the purpose for the conducted penetration test.
β Goals
Description of the goals that should be achieved with the penetration test.
β Scope
All IPs, domain names, URLs, or CIDR ranges.
β Lines of Communication
Online conferences or phone calls or face-to-face meetings, or via e-mail.
β Time Estimation
Start and end dates.
β Time of the Day to Test
Times of the day to test.
β Penetration Testing Type
External/Internal Penetration Test/Vulnerability Assessments/Social Engineering.
β Penetration Testing Locations
Description of how the connection to the client network is established.
β Methodologies
OSSTMM, PTES, OWASP, and others.
β Objectives / Flags
Users, specific files, specific information, and others.
β Evidence Handling
Encryption, secure protocols
β System Backups
Configuration files, databases, and others.
β Information Handling
Strong data encryption
β Incident Handling and Reporting
Cases for contact, pentest interruptions, type of reports
β Status Meetings
Frequency of meetings, dates, times, included parties
β Reporting
Type, target readers, focus
β Retesting
Start and end dates
β Disclaimers and Limitation of Liability
System damage, data loss
β Permission to Test
Signed contract, contractors agreement
Last updated