Embedded Files
The security assessment process can be broken down into three high-level stages - Initial Engagement/Sales, Pre-Assessment, and Post-Assessment. Each stage includes a set of documents that must be defined and agreed upon by the client and service provider (security professional).
Initial Engagement/Sales
Initial Engagement/Sales
The three key documents the client and security professional must sign are a Master Service Agreement, a Statement of Work, and a Mutual Non-Disclosure Agreement.
Consider providing the client with sample reports, recommendation letters, certifications, etc.
Mutual Non-Disclosure Agreement (NDA)
Mutual Non-Disclosure Agreement (NDA)
Shortly after reviewing the high-level requirements of the assessment (initial meeting), both parties should sign this document.
A legally binding contract establishes a confidential relationship between the client and the security professional.
AIM: protect any sensitive ideas or information shared by either party during the rest of the discussion and assessment.
After signing this document, the rest of the initial engagement discussions will generate the two remaining documents.
Master Service Agreement
Master Service Agreement
A contractual document that specifies the performance objectives and outlines the responsibilities of both parties.
Sample: Rapid 7 Master Service Agreement
Statement of Work (SOW)
Statement of Work (SOW)
A contract that specifies activities, deliverables (ROE, Findings, Report, etc.), timelines, and cost of the project.
The contract will include details of the security assessment, such as type, stakeholders, etc.
Pre-Assessment
Pre-Assessment
A Rule of Engagement meeting must be conducted before the security assessment begins to define the corresponding document.
Rules of Engagement (ROE)
Rules of Engagement (ROE)
It is essential that the ROE is defined and agreed upon and should clearly outline and document the Engagement Scope.
The client will identify the systems, networks, and assets that will be assessed during the engagement and those that will not. These will include but are not limited to:
IP Addresses/Ranges (CIDR notation),
Domains and Sub-Domains,
Virtual Hosts,
Cloud Systems and Assets,
API endpoints, etc
Ensure the assets, systems, or networks that should be assessed are clearly documented and communicated to the security assessment team.
The types of simulated attacks permitted and not permitted should also be clearly defined and documented. Examples of attacks not permitted may include social engineering and denial of service attacks.
Post-Assessment
Post-Assessment
During the security assessment, it is vital to document and track all exploited and non-exploited vulnerabilities and the attack vector (path) followed to gain access to the system.
This information will be compiled and presented to the client in the Assessment Report.
Google Sites
Report abuse