Penetration Test Proposal
Deliverable 1: Rules of Engagement 
 
Haverbrook Investment Group, L.L.L.P. (HIG) is a company specializing in financial services and global revenue of $9.7 billion.  The company which originally started in Largo, Maryland now has 350 location across the United States of America and 8,738 employees and 8.5 million customers.  HIG’s motto and one of their core values is “the customer always comes first”.  This customer first approach has led to rapid success and growth of their organization and information technology (IT) systems.  To ensure the highest level of security over company resources and customer data the HIG executive management team, led by the Chief Executive Operator (CEO) Beth Haverbrook, has hired Centralia Security Lab (CSL) to perform penetration testing on HIG computer systems and determine the effectiveness of HIG systems security.

CSL’s penetration testing include activities to identify and exploit security vulnerabilities.  The company’s penetration testing approach incorporates the following three phases of penetration testing: pre-attack attack, and post-attack.  The goal of the pre-attack phase is to plan, and collect as much data as possible about the target through active and passive reconnaissance.  The attack phase utilizes the information gathered during the pre-attack phase to compromise and exploit vulnerabilities.  The post-attack phase includes reporting, cleaning and destruction of artifacts and this is a critical phase when performing penetration tests.

The purpose of this Rules of Engagement (ROE) is to lay the guidelines for both CSL penetration testers and HIG stakeholders, understand customer requirements, set project expectations, and come to agreements through legally binding documents.  CSL and HIG has held interviews to collect customer information, and meetings to develop the ROE for the penetration testing and have come to an agreement on the scope, information handling, and requirements for this project.  A penetration testing contract, which clearly states the rights and responsibilities of HIG and SQL has been signed and completed by both CSL and HIG.  The testing contract defines the Non-disclosure clause, Objective of the penetration test, Fees and project schedule, Sensitive information, Confidential information, Indemnification clause, and Reporting and responsibilities.  A Confidentiality Agreement (CA) has been signed and completed to protect against negligence and liability.  A Non-Disclosure Agreement (NDA) documents has also been signed and completed to protect trade secrets, patents, or other proprietary information.