Module 02: Penetration Testing Scoping and Engagement Methodology - Setup P2

Setup - Creating and Reviewing Administrative Control Documents - Part 2

Scenario

Note: This exercise is a continuation of the previous exercise and should be performed in the same order.

Lab Duration: 5 Minutes

1. 
   
   1. Navigate to: YY-MM-DD**-FNBF****\00_Administration\00F_ROE** folder, and rename Rules of Engagementvx.x.docx file to YY-MM-DD**-FNBF****__ROE.docx**.
   2. Open the YY-MM-DD**-FNBF****_ROE.docx** file, replace all instances of “Tested Organization” in red with the full name of the client organization (for this lab, FNB Financial Services) in black using your word processor's find and replace function.
   3. Find and replace all instances of TORG in red with the client organization's abbreviation (for this lab, FNBF) in black.
   4. On the cover page, change the date after the word “Dated:” to the current date.
   5. Modify the remaining verbiage as necessary, per the information contained in the EL and project plan.
   6. Change modified text color from red to black.
   7. Any remaining verbiage in red will be discussed with the client during the working teleconference.
   8. Save the file.

   Note: The RoE will be sent to the client as part of the Advance Packet discussed later.

2. 
   
   1. Navigate to YY-MM-DD**-FNBF****\00_Administration\00G_TP** folder and rename Test_Planvx.x.docx file to YY-MM-DD**-FNBF****_TP.docx**.
   2. Open the YY-MM-DD**-FNBF****_TP.docx** file and replace all instances of Tested Organization in red with the full name of the client organization (for this lab, FNB Financial Services) in black using your word processor's find and replace function.
   3. Find and replace all instances of TORG in red with the client organization's abbreviation (for this lab, FNBF) in black.
   4. On the cover page, change the date after the word “Dated:” to the current date.
   5. Modify the remaining verbiage as necessary, per the information contained in the EL and project plan.
   6. Change modified text color from red to black.
   7. Any remaining verbiage in red will be discussed with the client during the working teleconference.
   8. Appendices 1-3 in the YY-MM-DD**-FNBF****\00_Administration\00G_TP** folder will be reviewed with the client during the working teleconference.
   9. Save the file with the original file name.
   10. Move the contents of the YY-MM-DD**-FNBF****\00_Administration\00G_TP** folder to an archive, naming the archive YY-MM-DD**-FNBF****_TP.zip**.

   Note: The archive containing the Test Planand Appendices will be sent to the client as part of the Advance Packet discussed later.

3. 
   In this task, we will prepare a draft of External Testing Authorization (XAUTH).
   
   1. Navigate to YY-MM-DD**-FNBF\00_Administration\00H_LTA** folder and rename the XAUTHvx.x.pdf file to YY-MM-DD**-FNBF_XAUTH.pdf**.
   2. Open the YY-MM-DD**-FNBF_XAUTH.pdf** file.
   3. Go to page 5 of the form. Complete Sections I and V of the form according to the instructions accompanying the form and the information from the EL and project plan.
   4. On the signature page, (page 8), fill the client's full name in black. Remaining areas of the form will be discussed with the client during the working teleconference. Save the file.

   Note: The XAUTH will be sent to the client as part of the “Advance Packet” discussed later.

4. 
   In this task, we will prepare a draft of the Internal Testing Authorization (IAUTH)
   
   1. Navigate to YY-MM-DD**-FNBF\00_Administration\00H_LTA** folder and rename IAUTHvx.x.pdf file to YY-MM-DD**-FNBF_IAUTH.pdf**.
   2. Open the YY-MM-DD**-FNBF_IAUTH.pdf** file.
   3. Go to page 5 of the form. Complete Sections I to V of the form according to the instructions accompanying the form and the information from the EL and project plan. On the signature page, (page 9), fill the client's full name in black. Remaining areas of the form will be discussed with the client during the working teleconference. Save the file.

   Note: The IAUTH will be sent to the client as part of the “Advance Packet” discussed later.

5. 
   During the initial contact call with the client, the ETL determines what operating systems other than Microsoft® Windows were in use at the client facility. If the ETL has delegated the task of preparing ICQ, that information should be given to the person performing this task.
   
   1. Navigate to: YY-MM-DD**-FNBF\****00_Administration\00I__ICQ\**. Delete any ICQ that will not be used during this engagement. Rename files by replacing the “ICQ” portion of the file names in this folder with “YY-MM-DD**-FNBF****_**” .
   2. Move the contents of the YY-MM-DD**-FNBF\****00_Administration\00I__ICQ\** folder to an archive, naming the archive YY-MM-DD**-FNBF****_ICQ.zip**.

   Note: The archive containing the ICQ will be sent to the client as part of the “Advance Packet” discussed later.

6. 
   
   1. Navigate to: YY-MM-DD**-FNBF\****00_Administration\00J_PBC** folder and rename PBCListvx.x.pdf by prefixing “YY-MM-DD**-FNBF****_**” to the filename and deleting “vx.x” at the end of the file name.
   2. Use the legend at the end of the form to match the entry in the “X-Ref” column with the ICQ provided to the client.
   3. Delete any request items pertaining to ICQ not provided to the client.
   4. Add additional request items to the end of the form as needed, assigning Request ID as appropriate.
   5. Save the form. There is no need to change the file name.

   Note: The initial PBC request list will be sent to the client as part of the “Advance Packet” discussed later.

7. 
   
   1. Navigate to YY-MM-DD**-FNBF\****00_Administration\00K_LOIA** folder and rename the LOIA_Instructionsvx.x.docx file by prefixing “YY-MM-DD**-FNBF****_**” to the filename. Delete “vx.x” from the end of the file name so that the file is now named YY-MM-DD**-FNBF****_LOIA_Instructions.docx**.
   2. Open the file. Fill the appropriate information.
   3. Save the file.

   Note: The instructions for completing the LOIA will be sent to the client as part of the “Advance Packet” discussed later.

8. 
   Notes:
   1) This task is unique in that the Data Use Agreement form is normally provided by the client. Because the format and content of these forms vary, no specific completion instructions are possible. The following steps represent general instructions for completing DUA and maintaining records of their completion within your EGS Partnership.
   2) Each team member assigned to work on an engagement may sign a separate Data Use Agreement or a single Agreement may be put in place for the entire engagement team. Perform only the applicable steps in the task below.
   
   1. ETL navigates to YY-MM-DD**-FNBF****\00_Administration\00E_DUA\** and completes a “MasterCopy” of the DUA by completing all EGS Partnership information applicable to all engagement members.
   2. ETL saves file with original file name.
   3. ETL notifies engagement team members by email that a DUA needs to be executed and provides:
   i) Information on location of engagement data folders
   ii) Completion instructions (digital signature, digital image or hard copy required)
   
   1. All engagement team members navigate to YY-MM-DD**-FNBF****\00_Administration\00E_DUA\** and execute the file.
9. All engagement team members complete the DUA as per ETL email instructions:
   
   1. If the client will accept digitally signed statements, each team member signs their statement, saves the file as <Surname>-DUA in the YY**-MM-DD-FNBF****\00_Administration\00E_DUA** folder and notifies the ETL via email that the DUA has been completed.
   2. If the client will accept digital images of signed copies, each team member prints the file, signs in the appropriate area, scans the file to a TIFF image, saves the TIFF file as <Surname>-DUA in the YY**-MM-DD-FNBF****\00_Administration\00E_DUA** folder, and notifies the ETL via email that the DUA has been completed. Team members then destroy the hard copy of the DUA and electronically shred all individual temporary copies.
   3. If the client will only accept original copies of the DUA, each team member prints the file, signs in the appropriate area, scans the file to a TIFF image, saves the TIFF file as <Surname>-DUA in the YY**-MM-DD-FNBF****\00_Administration\00E_DUA** folder, and delivers the original copy to the ETL.
10. 
    
    1. When all DUAs have been executed, the ETL (or designated person) deletes the master copy from the folder and moves the contents of the YY-MM-DD**-FNBF****\00_Administration\00E_DUA** folder to an archive, naming the archive file as YY-MM-DD**-FNBF****_DUA.zip**.
    2. The ETL or designated person then uses an MD5 calculator to create an MD5 checksum for the archive file.
    3. The ETL or designated person creates a text file and copies the checksum to that file.
    4. The ETL or designated person saves the text file in the same location as the archive as YY-MM-DD**-FNBF****_DUA_hash.txt**.

    Note: The Data Use Agreement(s) will become part of the documentation sent to the client as part of the “Advance Packet” discussed later.

11. 
    
    1. If the client has agreed to accept digitally signed or digital images of signed NDA, copy YY-MM-DD**-FNBF****\00_Administration\00D_NDA\YY-MM-DD****-FNBF****_NDA.zip** and YY-MM-DD**-FNBF****_NDA_hash.txt** files to the YY-MM-DD**-FNBF****\00_Administration\00X_AP\** folder.
    2. Copy the YY-MM-DD**-FNBF****\00_Administration\00F__ROE\YY-MM-DD****-FNBF****_ROE.docx** to the 00X_AP\ folder.
    3. Copy the YY-MM-DD**-FNBF****\00_Administration\00G__TP\YY-MM-DD****-FNBF****_TP.zip** to the 00X_AP\ folder.
    4. Copy the YY-MM-DD**-FNBF****\00_Administration\00H__LTA\YY-MM-DD****-FNBF****_XAUTH.docx** to the 00X_AP\ folder.
    5. Copy the YY-MM-DD**-FNBF****\00_Administration\00H__LTA\YY-MM-DD****-FNBF****_IAUTH.docx** to the 00X_AP\ folder.
12. 6. Copy the YY-MM-DD**-FNBF****\00_Administration\00I_ICQ\YY-MM-DD****-FNBF****_ICQ.zip** to the 00X_AP\folder.
    
    7. Copy the YY-MM-DD**-FNBF****\00_Administration\00J_PBC\YY-MM-DD****-FNBF****_PBC.xlsx** to the 00X_AP\ folder.
    8. Copy the YY-MM-DD**-FNBF****\00_Administration\00K_LOIA\YY-MM-DD****-FNBF****_LOIA_Instructions.docx** to the 00X_AP\ folder.
    9. If required by the client, copy the YY-MM-DD**-FNBF****\00_Administration\00E_DUA\DataUseAgreement.pdf** file or YY-MM-DD**-FNBF****_DUA.zip** and YY-MM-DD**-FNBF****_DUA_hash.txt** files to the 00X_AP\ folder.
    10. Move the contents of the 00X_AP\ folder to an archive, naming the archive file as “YY-MM-DD**-FNBF****_AP.zip**.”
13. 
    
    1. Navigate to: YY-MM-DD**-FNBF\00_Administration\00L_ECL\** folder and rename MasterEngagementControlListvx.x.xlsxfile to “YY-MM-DD**-FNBF****_ECL.xlsx**.”
    2. Open the file, navigate to the Document_Control tab sheet.
    3. Add or modify entries as required to account for all documents to be sent to the client in the “Advance Packet.”
    4. Copy the information pertaining to the ICQ from the “Description” and “Date Sent” columns to the sheet labeled “PBC Control”, pasting the information into columns “B” and “C.”
    5. Assign a sequential number to each entry using the “Item #” column.
    6. Enter the Date Required for each entry. For ICQ, this will be the date of the first day of on-site work, unless the Information Gathering portion of the engagement will be completed at the Partnership offices.
    7. If Information Gathering work will be completed at the Partnership offices, this will be the date that was established during the initial client contact coordination call.
    8. Save the file.
14. 
    
    1. Compose an email to the TPOC telling them that the email attachment contains the documentation discussed in the initial coordination call.
    2. Remind them of the tentative date and time scheduled for the working teleconference.
    3. Remind them to maintain proper security of the attached documentation once they begin working on the contents.
    4. Tell them that you will make a follow-up telephone call on the next business day to verify receipt of this email and the attached documents.
    5. If the client has requested hard copies of the NDA or DUA, tell them that you will:
    (1) Notify them in a separate email when those documents have been shipped and
    (2) Provide them with the tracking and expected delivery date information.
    
    1. Remind them that they can call or email if they have any questions.
    2. Include your office and mobile telephone numbers if they are not included in your signature block.
    3. Attach the YY-MM-DD**-FNBF****_AP.zip** archive created in task 12 to the body of the email.
    4. Configure the email for Delivery Receiptand Read Receipt and send to the TPOC via secure email.
    5. Set a reminder to call the POC the next business day in your calendar program.

    Note:
    You will always forward electronic Advance Packet contents to TORG. You only need to forward hard copy Advance packet contents to TORG if the client has requested hard copies of either the Non-Disclosure Agreements (NDA) or Data Use Agreements (DUA).

15. 
    Note: If the client has chosen to receive electronic copies of either NDA or DUA, this task is not performed.
    
    1. Assemble all hard copy materials for engagement team members who will participate in the engagement into a packet.
    2. Review all hard copy materials to ensure they have been completed properly.
    3. Place a “Client Confidential” coversheet on the packet.
    4. Seal the packet in such a way that the package cannot be opened without evidence of tampering being clearly visible and ship the packet via registered carrier to the client. The packet must arrive prior to the scheduled date of the working teleconference.
    5. Obtain the tracking number and estimated date of delivery.
    6. Compose an email to the TPOC telling them that the materials have been shipped and provide them with the tracking and expected delivery date information.
    7. Tell them that you will make follow-up telephone calls on the next business day to verify receipt of this email and again on the day after the expected delivery date to verify receipt.
    8. Remind them that they can call or email if they have any questions.
    9. Include your office and mobile telephone numbers if they are not included in your signature block.
    10. Set a reminder to call the POC the next business day and the day after the expected delivery date in your calendar program.
16. 
    
    1. On the next business day, check for a “delivery receipt” and “read receipt” from the TPOC.
    2. Regardless of whether or not the receipts have arrived, contact the TPOC via telephone and verify receipt of the email containing the electronic “Advance Packet” documentation.
    3. If the packet was received, remind the TPOC that you can be contacted at any time if they have questions.
    4. Remind them to maintain proper security of the attached documentation once they begin working on the contents. No further action is necessary until the working teleconference.
    5. If the packet was not received, arrange to re-send the information and perform the associated tasks.
17. 
    Note: If no hard copy materials were sent to the client, this task is not performed.
    
    1. On the next business day, check for a “delivery receipt” and “read receipt” from the TPOC.
    2. Regardless of whether or not the receipts have arrived, contact the TPOC via telephone and verify receipt of the email containing the tracking number and expected date of delivery for hard copy information.
    3. If received, remind the TPOC that you will contact them on the next business day after the expected date of arrival for the hard copy documentation.
    4. If not received, provide the TPOC with the tracking number and expected date of arrival of the hard copy documentation verbally.
    5. On the next business day after the expected arrival date of the hard copy of the “Advance Packet” materials, contact the TPOC via telephone and verify receipt of the hard copy “Advance Packet” documentation.
    6. If the packet was received, remind the TPOC that you can be contacted at any time if they have questions.
    7. Remind them to maintain proper security of the attached documentation once they begin working on the contents. No further action is necessary until the working teleconference.
    8. If the packet was not received, use the tracking information to locate the packet.
    9. If the packet has been lost, you will need to arrange re-delivery of the hard copy “Advance Packet” materials and perform the associated tasks