Scribd
Upload
3K views2 pages

Penetration Testing Agreement

This document outlines an agreement between a business owner, data custodian, chief information officer, and chief information security officer to conduct a penetration test of a university system. It defines the system to be tested, timeframe, and testing components to be performed, which include gathering public information, network scanning, system/service profiling, vulnerability identification and validation, and privilege escalation if possible. All parties agree that the information security office will take reasonable steps to preserve systems but cannot guarantee it, and are authorized to perform the agreed upon testing components using appropriate tools and methods. Test results will be treated confidentially and only indicate security issues found from the specific tests.

Uploaded by

Alex Gonzaga
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
3K views2 pages

Penetration Testing Agreement

This document outlines an agreement between a business owner, data custodian, chief information officer, and chief information security officer to conduct a penetration test of a university system. It defines the system to be tested, timeframe, and testing components to be performed, which include gathering public information, network scanning, system/service profiling, vulnerability identification and validation, and privilege escalation if possible. All parties agree that the information security office will take reasonable steps to preserve systems but cannot guarantee it, and are authorized to perform the agreed upon testing components using appropriate tools and methods. Test results will be treated confidentially and only indicate security issues found from the specific tests.

Uploaded by

Alex Gonzaga
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 2

PenetrationTestingAgreement

ThisdocumentservestoacknowledgeanengagementbetweentheBusinessOwnerandDataCustodian
(seedescriptionspage2),collectivelyofthefollowingsystem(s)orapplication,theUniversityChief
InformationOfficer,andtheUniversityITSecurityOfficer.
Systems(s)tobetested:_______________________________________________________________
TestingTimeFrame:(begin)___________________________(end)__________________________
PenetrationTestingComponents(seedescriptionspage2).Indicatethetestingcomponentsthatareto
becompleted,byinitial.

Component
BusinessOwner
DataCustodian
GatheringPubliclyAvailableInformation

NetworkScanning

SystemProfiling

ServiceProfiling

VulnerabilityIdentification

VulnerabilityValidation/Exploitation

PrivilegeEscalation

Allparties,bysigningbelow,acceptandagreethat:

1. TheInformationSecurityandPolicyOffice(ISPO)willtakereasonablestepstopreservethe
operationalstatusofsystems,butitcannotbeguaranteed.
2. TheISPOisauthorizedtoperformthecomponenttestslistedabove,attheirdiscretionusing
appropriatetoolsandmethods.
3. Testresultsarerelatedtospecifictestsonly.Theyindicate,butdonotandcannotmeasure,the
overallsecurityposture(qualityofprotections)ofanapplicationsystem.
4. AllinformationrelatedtothistestingwillbetreatedashighlyconfidentialLevelIIIsecuritydata,
withcommensurateprotections.

Signed:_______________________________________________________(BusinessOwner)

_______________________________________________________(DataCustodian)

_______________________________________________________(CIO)

_______________________________________________________(CISO)

TestingComplete:______________________________________________Date:______________

Review/CloseoutDiscussionCompleted(Date):_______________________________________________

Definitions

DataCustodianThetechnicalcontact(s)thathaveoperationallevelresponsibilityforthecapture,
maintenance,anddisseminationofaspecificsegmentofinformation,includingtheinstallation,
maintenance,andoperationofcomputerhardwareandsoftwareplatforms.

BusinessOwnerTheseniorofficial(s)withinacollegeordepartmentalunit(orhis/herdesignee)that
areaccountableformanaginginformationassets.

PenetrationTestingComponentDescriptions:
1. GatheringPubliclyAvailableInformationResearchingtheenvironmentusingpubliclyavailable
datasources,suchassearchenginesandwebsites.
2. NetworkScanningPerformingautomatedsweepsofIPaddressesofsystemsprovidedand/or
discovered,fromoncampusandoffcampus.
3. SystemProfilingIdentificationoftheoperatingsystemandversionnumbersoperatingonthe
system,tofocussubsequenttests.
4. ServiceProfilingIdentificationoftheservicesandapplicationsaswellastheirversionnumbers
operatingonthesystem,tofurtherfocustestingonvulnerabilitiesassociatedwiththeidentified
servicesdiscovered.
1. VulnerabilityIdentificationPotentialvulnerabilities(controlweaknesses)applicabletothe
systemareresearched,tested,andidentified.
2. VulnerabilityValidation/ExploitationAftervulnerabilitiesareidentified,theymustbevalidated
tominimizeerrors(falsereportsofproblems),whichinvolvesattemptstoexploitthe
vulnerability.
3. PrivilegeEscalationShouldexploitationofvulnerabilitybesuccessful,attemptsaremadeto
escalatetheprivilegestoobtaincompletecontrolofthesystem.

You might also like