- 1 " Some activities common in penetration tests may violate local laws. For this reason, it is advised to check the legality of common pentest tasks in the location where the work is to be performed."
- 2 "In addition, some service providers require advance notice and/or separate permission prior to testing their systems. For example, Amazon has an online request form that must be completed, and the request must be approved before scanning any hosts on their cloud. If this is required, it should be part of the document."
- 3 "Obviously, being able to get in touch with the customer or target organization in an emergency is vital."
- 4 Determining Audit Location - The Penetration Testing Execution Standard: Pre-Engagement Guidelines
- 5 "When handling evidence of a test and the differing stages of the report it is incredibly important to take extreme care with the data. Always use encryption and sanitize your test machine between tests."
- 6 Usually when working with an external funder an engagement report, free of sensitive data about the host organization, will be created for submission the funder. The contents of this report should be clearly outlined and agreed to during the assessment plan stage.
- 7 Dealing with third parties - The Penetration Testing Execution Standard
- 8 "Before starting a penetration test, all targets must be identified. "
- 9 "the assessment plan should provide specific guidance on incident handling in the event that assessors cause or uncover an incident during the course of the assessment. This section of the plan should define the term incident and provide guidelines for determining whether or not an incident has occurred. The plan should identify specific primary and alternate points of contact for the assessors... The assessment plan should provide clear-cut instructions on what actions assessors should take in these situations."
- 10 "One of the most important documents which need to be obtained for a penetration test is the Permission to Test document."