Question

What document should be signed prior to beginning a pen test?

Answer 1

According to The Penetration Testing Execution Standard Documentation, Release 1.1 following are the documents which should be signed prior to conducting any penetration testing.?

1. Metrics For Time Estimation:  

For a tester it should be well documented and signed statement of work specifying of amount of work and hours required if you reached the deadline of testing or incase if additional testing is required after deadline of testing.

2. Scoping Meeting:

There can be situation and cases when the scoping meeting will happen after the contract has been signed. And there can be case when scope related topic can be discussed before contract signed, but they nearly imapcts however, for those conditions it is required that a non-disclosure agreement be signed before any deep scoping meetings happen.

3. Additional Support Based Hourly Rate :

For any additional work done out of the scope It is recommended to have a signed and counter-signed Statement of Work (SOW).

4.Permission to test :

This is the most important documents which is recommended for conducting a penetration test which is known as Permission to Test document. This document defines the scope and has a signature which acknowledges awareness of the activities of the testers. And it must mention neatly that testing may lead to loose the system stability and all these situation will be handelled by the tester to not crash systems in the process. It is necessary that testing does not start until this document is signed by the customer. It also mentions that even in process of testing if system got crashes or go unstable tester will not be liable.

5. Protecting Yourself :

It is recommended by the guidelines that before begining the penetration test a tester cover all his bases with clients and discuss the possible situations can happen with client, tester and provider.

It is recommended to have a contract or statement of work to be signed by both client and provider that the actions taken on the system in process of testing are on behalf of client.

For additional information it is recommended to have a clear understanding and study of the documentation The Penetration Testing Execution Standard Documentation, Release 1.1.