The entire pre-engagement process consists of three essential components:
Before any of these can be discussed in detail, a Non-Disclosure Agreement (NDA) must be signed by all parties. There are several types of NDAs:
| Type | Description |
|---|---|
Unilateral NDA |
This type of NDA obligates only one party to maintain confidentiality and allows the other party to share the information received with third parties. |
Bilateral NDA |
In this type, both parties are obligated to keep the resulting and acquired information confidential. This is the most common type of NDA that protects the work of penetration testers. |
Multilateral NDA |
Multilateral NDA is a commitment to confidentiality by more than two parties. If we conduct a penetration test for a cooperative network, all parties responsible and involved must sign this document. |
List of Company members who may be authorized to hire us for penetration testing
| Chief Executive Officer (CEO) | Chief Technical Officer (CTO) | Chief Information Security Officer (CISO) |
|---|---|---|
| Chief Security Officer (CSO) | Chief Risk Officer (CRO) | Chief Information Officer (CIO) |
| VP of Internal Audit | Audit Manager | VP or Director of IT/Information Security |
This can vary from company to company, with larger organizations not involving the C-level staff directly and the responsibility falling on IT, Audit, or IT Security senior management or the like.
| Document | Timing for Creation |
|---|---|
1. Non-Disclosure Agreement (NDA) |
After Initial Contact |
2. Scoping Questionnaire |
Before the Pre-Engagement Meeting |
3. Scoping Document |
During the Pre-Engagement Meeting |
4. Penetration Testing Proposal (Contract/Scope of Work (SoW)) |
During the Pre-engagement Meeting |
5. Rules of Engagement (RoE) |
Before the Kick-Off Meeting |
6. Contractors Agreement (Physical Assessments) |
Before the Kick-Off Meeting |
7. Reports |
During and after the conducted Penetration Test |