- Consider the threat landscape of the organization when determining secure communications channels. This may require some pre-agreement work using parts of the Context Research methodology.
- In addition to the overall mandate to send information encrypted to the organization, also demand encrypted communication back from them. Failure to establish a secure planning channel also contributes towards a no-go situation by putting both the auditor and organization at risk.
- Develop an agreement signed by both parties outlining the scope of the audit including:
- The start and end dates of the audit.
- The location where the on-site audit will take place. 
- The responsibilities of the host staff.
- The responsibilities of the auditor.
- The host names and IP ranges of any services run by the organization. 
- Emergency contact information for the organization. 
- The procedure the auditor will follow when handling incidents. 
- The data security standards for evidence handling and communication. 
- Develop and sign a confidentiality and non-disclosure agreement
- Share a liability waiver signed by the host organization. 
- Obtain approval from any third parties, if necessary.  The Audit agreement, non-disclosure agreement, liability waiver may be accomplished through a single document, or they may be separate documents.
- Sample Text for a Statement of Work and Engagement Agreement in the Confidentiality Agreement Activity.
- The SAFETAG Agreement Generator, a python script which provides a decision tree covering the above points, and builds a basic, clear-language agreement which can be translated and formalized as needed. Sample outputs and a diagram of the full decision tree are available in the "outputs" folder of the Agreement Generator repository. This replaces the draft agreement previously part of SAFETAG.
Auditors are encouraged to use, or at least reference text from the following sources:
- 1 " Some activities common in penetration tests may violate local laws. For this reason, it is advised to check the legality of common pentest tasks in the location where the work is to be performed."
- 2 "In addition, some service providers require advance notice and/or separate permission prior to testing their systems. For example, Amazon has an online request form that must be completed, and the request must be approved before scanning any hosts on their cloud. If this is required, it should be part of the document."
- 3 "Obviously, being able to get in touch with the customer or target organization in an emergency is vital."
- 4 Determining Audit Location - The Penetration Testing Execution Standard: Pre-Engagement Guidelines
- 5 "When handling evidence of a test and the differing stages of the report it is incredibly important to take extreme care with the data. Always use encryption and sanitize your test machine between tests."
- 6 Usually when working with an external funder an engagement report, free of sensitive data about the host organization, will be created for submission the funder. The contents of this report should be clearly outlined and agreed to during the assessment plan stage.
- 7 Dealing with third parties - The Penetration Testing Execution Standard
- 8 "Before starting a penetration test, all targets must be identified. "
- 9 "the assessment plan should provide specific guidance on incident handling in the event that assessors cause or uncover an incident during the course of the assessment. This section of the plan should define the term incident and provide guidelines for determining whether or not an incident has occurred. The plan should identify specific primary and alternate points of contact for the assessors... The assessment plan should provide clear-cut instructions on what actions assessors should take in these situations."
- 10 "One of the most important documents which need to be obtained for a penetration test is the Permission to Test document."