Let me first start out with a couple of quotes that lay the foundation for why you need rules of engagement.
“Expectation is the mother of disappointment” - Sylvia Plath
“If it is not written down, it does not exist.” – Philippe Kruchten
Penetration Testing Rules of Engagement aim to document the expectations of the engagement. The benefit is having an agreed-upon guide on how the engagement is going to be executed so that there aren’t any surprises (or disappointments).
In military jargon, “Rules of Engagement” are the laws of war, the rules set forth that dictate the conditions and limitations under which military forces will initiate or continue an engagement.
Penetration Testing is a simulated offensive attack on a set of resources (sounds a little militaristic) and the rules of engagement (ROE) are meant to dictate the conditions and limitations under which the penetration tester will initiate or continue an engagement.
Regardless of whether you’re penetration testing a web application, social engineering, testing for sensitive information / sensitive data, or just doing a basic vulnerability assessment, Rules of Engagement are paramount for success. Seems straight forward but you may be asking, “Why do I need rules of engagement when I have a project charter or statement of work that already has signatures”?
The short answer is that a statement of work is generally not going to address HOW the test should be conducted. Yes, it may contain an overview of the services sold and what was included in the deal. It may even have quite a bit of information like the number of IPs with ranges. But, it does not include communication and execution protocols specific to how the penetration test will be conducted. You’ll want to make sure that you have the following as part of your penetration test rules of engagement with your penetration testers.
What Should You Have in Your Penetration Testing Rules of Engagement?
Roles with contact information
Communication Plan a. Communication Ground Rules b. Escalation Pathways c. Communication Systems and Tools d. Management and monitoring of project communication
Change in Scope Management
I could take up a lot of time by going into each one of these in detail, however, the easiest thing is for you to download our Rules of Engagement and Client Success Plan on this page (once you're on that page, scroll down to step 2). It’s a checklist and a template that you can use to establish your own rules of engagement and you’ll see how most of it is very self-explanatory. Most people don’t need it explained, they just need to get a framework for how they can start their approach. Feel free to change things up for whatever makes sense for your project. We’re just here to help!
All penetration tests and penetration testing projects are unique but there are aspects universal to all project management that help minimize mistakes. Additionally, the clearer you are on what you’re doing and how you’re doing it the happier your client will be and the more likely you’ll be to nail your deliverables.