Rules of engagement

 

Following are important requirements that are present in almost every ROE:

◾ A proper “permission to hack” and a “nondisclosure” agreement should be signed by both
the parties.
◾ The scope of the engagement and what part of the org

anization must be tested.
◾ The project duration including both the start and the end date.
◾ The methodology to be used for conducting a penetration test.
◾ The goals of a penetration test.
◾ The allowed and disallowed techniques, whether denial-of-service testing should be performed or not.
◾ The liabilities and responsibilities, which are decided ahead of time. As a penetration tester
you might break into something that should not be accessible, causing a denial of service;
also, you might access sensitive information such as credit cards. Therefore, the liabilities
should be defined prior to the engagement.

Milestones

Before starting a penetration test, it’s good practice to set up milestones so that your project is
delivered as per the dates given in the rules of engagement.
    You can use either a GANTT chart or a website like Basecamp that helps you set up milestones
to keep track of your progress. The following is a chart that defines the milestones followed by the
date they should be accomplished.