Scoping Questionnaire for a Penetration Test Question Title * 1. Contact Info Name Company Address Address 2 City/Town State/Province ZIP/Postal Code Country Email Address Phone Number Question Title * 2. Estimated Project Start Date Date / Time Date Question Title * 3. Remote Testing Cloud Phishing Social engineering, other Website Web applications External network / DMZ Remote access Other (please specify) Question Title * 4. On-Site Testing Physical site assessment Social engineering, other Wireless – 802.1x Wireless – Other protocol Network – architecture Firewall IDS / IPS Validation Security controls validations (eg. SIEM, other) Network - VoIP Active Directory Servers, workstations Application(s) Source code Embedded device(s) Mobile application(s) ICS / SCADA Adversary emulation Other (please specify) Question Title * 5. A. Compliance Assessment(s) Common Criteria FISMA GDPR HIPAA NERC CIP NIST 800-53 NIST 800-171 NIST, CSF PCI DSS PIPEDA, other privacy ISO 27001 Vendor-specific Other (please specify) TESTING CONSIDERATIONS Question Title * 6. Scope GOAL - What are the “success criteria” for testing (eg direct observation of sensitive data, root level access to a critical server, etc) What is the critical data that you are trying to protect? Black box --- white box --- grey box testing? Question Title * 7. Constraints Will all systems be backed up prior to testing (y/n)? Will we be testing production systems or a development/test environment Are all systems hosted on-site? Are there specific windows for testing (e.g. after hours testing only) Will there be any interruptions during testing (eg vacations, stops due to monthly or annual business processes) Are there any limitations to onsite resources for testers (requirements for access, port or power limitations) Are there any legacy systems that have known issues? When must testing be completed by? When is the final draft report due? Any other comments or questions? REMOTE TESTING Question Title * 8. REMOTE TESTING What provider is being used (AWS / Azure / Other)? Describe devices present on the cloud (number, function) Identify user interfaces and APIs that must be tested Are you using Microsoft O365 (y/n)? Other comments re: use of cloud Phishing Question Title * 9. Phishing How many people are to be tested? How many repetitions of the test are to be conducted (1,2,3, etc)? Require specialized tests (e.g. “whaling” against Accounts Payable) (y/n)? Social Engineering, Other Question Title * 10. Social Engineering, Other Test with messages sent to mobile devices (y/n)? Use impersonation attacks against Help Desk, other groups (y/n)? Website / Web Services Question Title * 11. Website / Web Services Are websites hosted by client or by third party (y/n)? How many hosts need to be tested? How many websites needs to be tested? How many websites support financial transactions? How many websites host / transmit sensitive information (e.g. medical)? Will role-based testing be required (test as a user vs. test as manager or admin)? Please provide URLs and / or IP addresses of sites to be tested for review in advance of testing External Network / DMZ Question Title * 12. External Network / DMZ How many external IPs need to be tested? Remote Access Question Title * 13. Remote Access What remote access technologies need to be tested (Kiosks / Citrix / VPN / ATMs / Other)? Is two-factor authentication in use (y/n)? Other Comments ON-SITE TESTING Question Title * 14. Physical Site Assessment How many physical sites need to be tested? (include primary, DR/BC sites) Where are the physical sites located? Social Engineering, Other Question Title * 15. Social Engineering, Other Is dumpster diving required (y/n)? Do you want to test if physical intrusion / “tailgating” is effective (y/n)? Test with “leave behind devices” – USB keys, other computing devices (y/n)? Wireless – 802.1x and Other Question Title * 16. Wireless – 802.1x and Other How many networks / SSIDs need to be tested? How many physical locations need to be tested? Question Title * 17. Indicate which wireless technologies need to be tested WAN eg WiMax (IEE 802.16) LAN / WiFi (IEEE 802.11) Bluetooth, BLE (IEEE 802.15.1) Zigbee (IEEE 802.15.4) or other industrial protocol CDMA or other Telco protocol Software defined radio, SDR Other (please specify) Network Architecture (Firewall, IDS/IPS, Active Directory, Servers, Workstations, etc) Question Title * 18. Network Architecture (Firewall, IDS/IPS, Active Directory, Servers, Workstations, etc) How many network devices (firewalls, switches, control devices, etc)? How many servers (# IP addresses)? How many workstations (# IP addresses)? Critical applications to be tested (e.g.: CRM, SAP, application developed in-house, internal web-based application, etc) Mobile Assessment Question Title * 19. Mobile Assessment Are there mobile applications to be assessed? How many lines of source code to be reviewed? What platform(s) were used to develop source code? Question Title * 20. How many ICS / SCADA devices? Done