handbook/01 - Planning.md

54 lines
1.4 KiB
Markdown
Raw Normal View History

2024-08-24 17:34:25 +00:00
## Target Audience
- Identify targets of the engagement
- Identify scope and size of the engagement
2024-08-25 19:02:08 +00:00
- Surface area of engagement
2024-08-24 17:34:25 +00:00
## Objective
Asses reasons for the assessment. Security, risk assessments, customer personal data protection, etc.
2024-08-25 19:02:08 +00:00
Identify Protected Assets
[[ASSET INVENTORY]]
[[RISK REGISTER]]
2024-08-24 17:34:25 +00:00
## Compliance
2024-08-30 12:45:22 +00:00
Establish guidelines (or necessity) for compliance with internal and external regulations or standards.
Example: PCI DSS, GDPR, HIPPA, etc
2024-08-25 19:02:08 +00:00
- Strictly defined surface area of engagement
[[Statement of Work]]
[[Non-Disclosure Agreement]]
[[Request for Information (RFI)]]
2024-08-24 17:34:25 +00:00
## Resources
1. Define budgeting requirements for the campaign.
2. Identify target's accessibility:
- Physical access
- Remote access
- Tooling required
## Communication Plan
1. Aquire Trusted Agent(s) within the company for trusted communication
2. Establish communication guidelines and information access control rules during engagement (who knows what)
2024-08-30 12:45:22 +00:00
3. Establish escalation procedures
2024-08-24 17:34:25 +00:00
## Product/Report
Establish reporting guidelines
2024-08-25 19:02:08 +00:00
[[PENTEST REPORT TEMPLATE]]
2024-08-24 17:34:25 +00:00
## Technical Constraints
Identify and establish all technical restrictions during the engagement. What parts of the infrastructure is tested and what is out of scope.
## Comprehensiveness
2024-08-24 19:44:58 +00:00
Identify specifics on the engagement, what parts of the infrastructure is tested, what type of vulnerabilities, etc.