57 lines
1.4 KiB
Markdown
57 lines
1.4 KiB
Markdown
|
|
## Target Audience
|
|
|
|
- Identify targets of the engagement
|
|
- Identify scope and size of the engagement
|
|
- Surface area of engagement
|
|
|
|
## Objective
|
|
|
|
Asses reasons for the assessment. Security, risk assessments, customer personal data protection, etc.
|
|
|
|
Identify Protected Assets
|
|
|
|
[[ASSET INVENTORY]]
|
|
|
|
[[RISK REGISTER]]
|
|
|
|
## Compliance
|
|
|
|
Establish guidelines (or necessity) for compliance with internal and external regulations or standards.
|
|
Example: PCI DSS, GDPR, HIPPA, etc
|
|
- Strictly defined surface area of engagement
|
|
|
|
[[Statement of Work]]
|
|
|
|
[[Non-Disclosure Agreement]]
|
|
|
|
[[Request for Information (RFI)]]
|
|
|
|
## Resources
|
|
|
|
1. Define budgeting requirements for the campaign.
|
|
2. Identify target's accessibility:
|
|
- Physical access
|
|
- Remote access
|
|
- Tooling required
|
|
|
|
## Communication Plan
|
|
|
|
1. Aquire Trusted Agent(s) within the company for trusted communication
|
|
2. Establish communication guidelines and information access control rules during engagement (who knows what)
|
|
3. Establish escalation procedures
|
|
|
|
|
|
## Product/Report
|
|
|
|
Establish reporting guidelines
|
|
|
|
[[PENTEST REPORT TEMPLATE]]
|
|
|
|
## Technical Constraints
|
|
|
|
Identify and establish all technical restrictions during the engagement. What parts of the infrastructure is tested and what is out of scope.
|
|
|
|
## Comprehensiveness
|
|
|
|
Identify specifics on the engagement, what parts of the infrastructure is tested, what type of vulnerabilities, etc. |