Ask the Expert

Penetration test methodology: Creating a network pen testing agreement

I'm an IT auditor who wants to perform an intrusion penetration test of our company's ports. I'm getting resistance from the IT group because they are concerned it will cause system outages. Based on my research, however, there appears to be minimal risk of this. What would you recommend I do to convince them?

    Requires Free Membership to View

Prior to doing any corporate network pen testing, it's important to take some fundamental actions not only to protect the company, but also to protect yourself. Probably one of the best guides to help you prepare for such testing is Appendix B, Rules of Engagement, a template in the NIST Special Publication 800-115, Technical Guide to Information Security Testing and Assessment (.pdf). The Rules of Engagement template (ROE) will help you organize and prepare the penetration testing methodology, while also giving a better sense to the IT department that you know what you are doing and are also concerned about possibly causing outages.

For example, the ROE includes the following key elements that you'll need to complete with the help of IT and corporate management:

  1. Introduction
    1. Purpose
    2. Scope
    3. Assumptions and Limitations
    4. Risks
    5. Document Structure
  2. Logistics
    1. Personnel
    2. Test Schedule
    3. Test Site
    4. Test Equipment
  3. Communications Strategy
    1. General Communication
    2. Incident Handling & Response
  4. Target System / Network
  5. Testing Execution
    1. Non-Technical Test Components (e.g., Interviews, social engineering)
    2. Technical Test Components (e.g., network scanning, discovery, penetration testing)
    3. Data Handling
  6. Reporting
  7. Signature Page
    1. At a minimum the test team leader and the company's senior management (CSO, CISO, CIO, etc.) should sign the ROE stating they understand the test's scope and boundaries and risks.

As an addendum, consider these extra things to add to the ROE to help the IT staff know you are on their side:

  1. Detail activities that will be allowed and those that arenot allowed. (E.g., Don't allow a pen test of a system that if tipped by the testing would result in a catastrophic failure of a key asset. Alternatively, don't allow a pen test during any major events that cannot be interrupted.)

  2. Identify those systems that are not authorized for testing (i.e., an "exclude list").

  3. Have a detailed incident handling and response procedure in case an incident occurs on the network while testing is in progress.

By completing this ROE and working closely with the IT staff, you can prove the trustworthiness of your intentions and your capabilities, as well as get appropriate management buy-in, before trying any risky testing.

This was first published in May 2010

There are Comments. Add yours.

TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to: