Penetration Testing Scope Scoping Worksheet Agreement Contract

By | June 22, 2015

Scope Worksheet:

 

What are the target organization’s biggest security concerns:

(Examples include disclosure of sensitive information, interruption of production processing, embarrassment due to website defacement, etc.)

 

_______________________________________________________________________

 

_______________________________________________________________________

 

_______________________________________________________________________

 

_______________________________________________________________________

 

 

What specific hosts, network address ranges, or applications should be tested:

 

_______________________________________________________________________

 

_______________________________________________________________________

 

_______________________________________________________________________

 

_______________________________________________________________________

 

_______________________________________________________________________

 

_______________________________________________________________________

 

_______________________________________________________________________

 

_______________________________________________________________________

 

_______________________________________________________________________

 

_______________________________________________________________________

 

_______________________________________________________________________

 

_______________________________________________________________________

 

_______________________________________________________________________

 

_______________________________________________________________________

 

What specific hosts, network address ranges, or applications should explicitly NOT be tested:

 

_______________________________________________________________________

 

_______________________________________________________________________

 

_______________________________________________________________________

 

_______________________________________________________________________

 

_______________________________________________________________________

 

_______________________________________________________________________

 

_______________________________________________________________________

 

_______________________________________________________________________

 

_______________________________________________________________________

 

_______________________________________________________________________

 

List any third parties that own systems or networks that are in scope as well as which systems they own (written permission must have been obtained in advance by the target organization):

 

_______________________________________________________________________

 

_______________________________________________________________________

 

_______________________________________________________________________

 

_______________________________________________________________________

 

_______________________________________________________________________

 

_______________________________________________________________________

 

_______________________________________________________________________

 

_______________________________________________________________________

 

_______________________________________________________________________

 

Will the test be performed against a live production environment or a test environment:

 

______________________________________________________________________

 

Will the penetration test include the following testing techniques:

 

Ping sweep of network ranges:  ____________________________________________

 

Port scan of target hosts:  _________________________________________________

 

Vulnerability scan of targets: ______________________________________________

 

Penetration into targets:  __________________________________________________

 

Application-level manipulation:  ____________________________________________

 

Client-side Java/ActiveX reverse engineering:  _________________________________

 

Physical penetration attempts:  ______________________________________________

 

Social engineering of people:  _______________________________________________

 

Other:  _________________________________________________________________

 

_______________________________________________________________________

 

Will penetration test include internal network testing:  ____________________________

 

If so, how will access be obtained:  ___________________________________________

 

________________________________________________________________________

 

Are client/end-user systems included in scope:  _________________________________

 

If so, how may clients be leveraged:  __________________________________________

 

________________________________________________________________________

 

Is social engineering allowed:  _______________________________________________

 

If so, how may it be used:  __________________________________________________

 

________________________________________________________________________

 

Are Denial of Service attacks allowed:  _____________________________________

 

Are Dangerous checks/exploits allowed:  ____________________________________

____________________________________________________________

Signature of Primary Contact representing Target Organization

 

____________________________

Date

______________________________________________________________

Signature of Head of Penetration Testing Team

____________________________

Date

 

Download the document here scope-worksheet

Share Button

One thought on “Penetration Testing Scope Scoping Worksheet Agreement Contract

  1. Pingback: Joseph de Saram#Rhodium

Leave a Reply

Your email address will not be published. Required fields are marked *