Scribd Logo
Upload

Welcome to Scribd!

  • Penetration Testing Agreement

    Uploaded by

    Alex Gonzaga
    971 views2 pages
    This document outlines an agreement between a business owner, data custodian, chief information officer, and chief information security officer to conduct a penetration test of a university system. It defines the system to be tested, timeframe, and testing components to be performed, which include gathering public information, network scanning, system/service profiling, vulnerability identification and validation, and privilege escalation if possible. All parties agree that the information security office will take reasonable steps to preserve systems but cannot guarantee it, and are authorized to perform the agreed upon testing components using appropriate tools and methods. Test results will be treated confidentially and only indicate security issues found from the specific tests.

    Original Description:

    Ejemplo de un contrato para un pentest

    Original Title

    Penetration Testing Agreement

    Copyright

    © © All Rights Reserved

    Available Formats

    PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document
    This document outlines an agreement between a business owner, data custodian, chief information officer, and chief information security officer to conduct a penetration test of a university system. It defines the system to be tested, timeframe, and testing components to be performed, which include gathering public information, network scanning, system/service profiling, vulnerability identification and validation, and privilege escalation if possible. All parties agree that the information security office will take reasonable steps to preserve systems but cannot guarantee it, and are authorized to perform the agreed upon testing components using appropriate tools and methods. Test results will be treated confidentially and only indicate security issues found from the specific tests.

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    971 views2 pages

    Penetration Testing Agreement

    Uploaded by

    Alex Gonzaga
    This document outlines an agreement between a business owner, data custodian, chief information officer, and chief information security officer to conduct a penetration test of a university system. It defines the system to be tested, timeframe, and testing components to be performed, which include gathering public information, network scanning, system/service profiling, vulnerability identification and validation, and privilege escalation if possible. All parties agree that the information security office will take reasonable steps to preserve systems but cannot guarantee it, and are authorized to perform the agreed upon testing components using appropriate tools and methods. Test results will be treated confidentially and only indicate security issues found from the specific tests.

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    of 2

    PenetrationTestingAgreement

    ThisdocumentservestoacknowledgeanengagementbetweentheBusinessOwnerandDataCustodian
    (seedescriptionspage2),collectivelyofthefollowingsystem(s)orapplication,theUniversityChief
    InformationOfficer,andtheUniversityITSecurityOfficer.
    Systems(s)tobetested:_______________________________________________________________
    TestingTimeFrame:(begin)___________________________(end)__________________________
    PenetrationTestingComponents(seedescriptionspage2).Indicatethetestingcomponentsthatareto
    becompleted,byinitial.

    Component
    BusinessOwner
    DataCustodian
    GatheringPubliclyAvailableInformation

    NetworkScanning

    SystemProfiling

    ServiceProfiling

    VulnerabilityIdentification

    VulnerabilityValidation/Exploitation

    PrivilegeEscalation

    Allparties,bysigningbelow,acceptandagreethat:

    1. TheInformationSecurityandPolicyOffice(ISPO)willtakereasonablestepstopreservethe
    operationalstatusofsystems,butitcannotbeguaranteed.
    2. TheISPOisauthorizedtoperformthecomponenttestslistedabove,attheirdiscretionusing
    appropriatetoolsandmethods.
    3. Testresultsarerelatedtospecifictestsonly.Theyindicate,butdonotandcannotmeasure,the
    overallsecurityposture(qualityofprotections)ofanapplicationsystem.
    4. AllinformationrelatedtothistestingwillbetreatedashighlyconfidentialLevelIIIsecuritydata,
    withcommensurateprotections.

    Signed:_______________________________________________________(BusinessOwner)

    _______________________________________________________(DataCustodian)

    _______________________________________________________(CIO)

    _______________________________________________________(CISO)

    TestingComplete:______________________________________________Date:______________

    Review/CloseoutDiscussionCompleted(Date):_______________________________________________

    Definitions

    DataCustodianThetechnicalcontact(s)thathaveoperationallevelresponsibilityforthecapture,
    maintenance,anddisseminationofaspecificsegmentofinformation,includingtheinstallation,
    maintenance,andoperationofcomputerhardwareandsoftwareplatforms.

    BusinessOwnerTheseniorofficial(s)withinacollegeordepartmentalunit(orhis/herdesignee)that
    areaccountableformanaginginformationassets.

    PenetrationTestingComponentDescriptions:
    1. GatheringPubliclyAvailableInformationResearchingtheenvironmentusingpubliclyavailable
    datasources,suchassearchenginesandwebsites.
    2. NetworkScanningPerformingautomatedsweepsofIPaddressesofsystemsprovidedand/or
    discovered,fromoncampusandoffcampus.
    3. SystemProfilingIdentificationoftheoperatingsystemandversionnumbersoperatingonthe
    system,tofocussubsequenttests.
    4. ServiceProfilingIdentificationoftheservicesandapplicationsaswellastheirversionnumbers
    operatingonthesystem,tofurtherfocustestingonvulnerabilitiesassociatedwiththeidentified
    servicesdiscovered.
    1. VulnerabilityIdentificationPotentialvulnerabilities(controlweaknesses)applicabletothe
    systemareresearched,tested,andidentified.
    2. VulnerabilityValidation/ExploitationAftervulnerabilitiesareidentified,theymustbevalidated
    tominimizeerrors(falsereportsofproblems),whichinvolvesattemptstoexploitthe
    vulnerability.
    3. PrivilegeEscalationShouldexploitationofvulnerabilitybesuccessful,attemptsaremadeto
    escalatetheprivilegestoobtaincompletecontrolofthesystem.

    You might also like