The term “Rules of Engagement” sounds intimidating the first time you hear it, but don’t be alarmed, it is meant to protect both you as the client and your penetration testers. The Rules of Engagement, or ROE, are meant to list out the specifics of your penetration testing project to ensure that both the client and the engineers working on a project know exactly what is being testing, when its being tested, and how its being tested. At Triaxiom, our engineers are engaged from Day 1 and are familiar with the project from the onset. The ROE stands as the definition of testing being performed to ensure all stakeholders are on the same page. Below we detail the specific items that are addressed and why they are important.
What is included in the Rules of Engagement?
Types of Testing Being Performed – This section ensures that all parties know exactly what type of testing will be performed, whether it be an external penetration test, internal penetration test, or some other form of testing. While this seems basic and obvious, this is critical to ensure that what you originally scoped out for the project and what you are expecting is exactly what the engineering team will execute.
Project Schedule – This is critical for both parties during a penetration test. The testers need to know exactly when they should or should not be testing, especially if there are pre-arranged testing windows to avoid heavy usage times, etc. Additionally, as the client, you want to know when testing is taking place to ensure that there are no network disruptions and to be confident that any unexpected traffic is not really malicious. This even allows you to exercise portions of your network monitoring and incident response processes to make sure controls you have in place are functioning properly.
Rules of Engagement – This is the meat of the document, and these rules are crucial to reveal in detail, as they provide the dos and do nots of testing. They contain a lot of important project specifics such as special testing parameters, requested rules the testing team should abide by, and disclosures about testing that can help protect the client. Below are some of the different things captured and detailed in this section:
- Treatment of sensitive information during the project
- How project status updates will be communicated
- Emergency contact information
- Handling of a sensitive and critical vulnerability
- Steps taken if a prior compromise is uncovered
- Security controls impact and specifics
- IP addresses of testing machines for monitoring/whitelisting
- Requirements for third-party hosting provider approvals to test
- In-scope targets, including the IP addresses and URLs
- Any specific compromise goals (i.e. Material and Non-public information, Credit Card Data)
- Specific web-forms to be avoided
Approval – The final step is a thorough review, update of any requested information, and written approval that the information in the ROE is correct. Once this is received, the testing team can begin the assessment based on the contents of the document.
While every Rules of Engagement will be slightly different depending on the firm you are working with, if your penetration testing firm does not have one in place, we highly recommend that you request they structure one for you or you consider switching firms. This document is meant to minimize mistakes and help protect all parties involved. Have additional questions? Please reach out to us or add a comment below.