Professional Documents
Culture Documents
ThisdocumentservestoacknowledgeanengagementbetweentheBusinessOwnerandDataCustodian
(seedescriptionspage2),collectivelyofthefollowingsystem(s)orapplication,theUniversityChief
InformationOfficer,andtheUniversityITSecurityOfficer.
Systems(s)tobetested:_______________________________________________________________
TestingTimeFrame:(begin)___________________________(end)__________________________
PenetrationTestingComponents(seedescriptionspage2).Indicatethetestingcomponentsthatareto
becompleted,byinitial.
Component
BusinessOwner
DataCustodian
GatheringPubliclyAvailableInformation
NetworkScanning
SystemProfiling
ServiceProfiling
VulnerabilityIdentification
VulnerabilityValidation/Exploitation
PrivilegeEscalation
Allparties,bysigningbelow,acceptandagreethat:
1. TheInformationSecurityandPolicyOffice(ISPO)willtakereasonablestepstopreservethe
operationalstatusofsystems,butitcannotbeguaranteed.
2. TheISPOisauthorizedtoperformthecomponenttestslistedabove,attheirdiscretionusing
appropriatetoolsandmethods.
3. Testresultsarerelatedtospecifictestsonly.Theyindicate,butdonotandcannotmeasure,the
overallsecurityposture(qualityofprotections)ofanapplicationsystem.
4. AllinformationrelatedtothistestingwillbetreatedashighlyconfidentialLevelIIIsecuritydata,
withcommensurateprotections.
Signed:_______________________________________________________(BusinessOwner)
_______________________________________________________(DataCustodian)
_______________________________________________________(CIO)
_______________________________________________________(CISO)
TestingComplete:______________________________________________Date:______________
Review/CloseoutDiscussionCompleted(Date):_______________________________________________
Definitions
DataCustodianThetechnicalcontact(s)thathaveoperationallevelresponsibilityforthecapture,
maintenance,anddisseminationofaspecificsegmentofinformation,includingtheinstallation,
maintenance,andoperationofcomputerhardwareandsoftwareplatforms.
BusinessOwnerTheseniorofficial(s)withinacollegeordepartmentalunit(orhis/herdesignee)that
areaccountableformanaginginformationassets.
PenetrationTestingComponentDescriptions:
1. GatheringPubliclyAvailableInformationResearchingtheenvironmentusingpubliclyavailable
datasources,suchassearchenginesandwebsites.
2. NetworkScanningPerformingautomatedsweepsofIPaddressesofsystemsprovidedand/or
discovered,fromoncampusandoffcampus.
3. SystemProfilingIdentificationoftheoperatingsystemandversionnumbersoperatingonthe
system,tofocussubsequenttests.
4. ServiceProfilingIdentificationoftheservicesandapplicationsaswellastheirversionnumbers
operatingonthesystem,tofurtherfocustestingonvulnerabilitiesassociatedwiththeidentified
servicesdiscovered.
1. VulnerabilityIdentificationPotentialvulnerabilities(controlweaknesses)applicabletothe
systemareresearched,tested,andidentified.
2. VulnerabilityValidation/ExploitationAftervulnerabilitiesareidentified,theymustbevalidated
tominimizeerrors(falsereportsofproblems),whichinvolvesattemptstoexploitthe
vulnerability.
3. PrivilegeEscalationShouldexploitationofvulnerabilitybesuccessful,attemptsaremadeto
escalatetheprivilegestoobtaincompletecontrolofthesystem.