Module 02: Penetration Testing Scoping and Engagement Methodology - Setup P3

Setup - Creating and Reviewing Administrative Control Documents - Part 3

Scenario

Note: This exercise is a continuation of the previous exercise and should be performed in the same order.

Lab Duration: 5 Minutes

1. 
   
   1. Just prior to the time of the conference call, navigate to YY-MM-DD**-FNBF****\00_Administration\**.
   2. At the appointed time, initiate the conference call with the TPOC.
   3. Ask for the names and positions of the TORG attendees and include this information in your meeting notes.
   4. Ask if there are any problems with the Non-Disclosure Agreements (NDA) and solve as necessary before proceeding.
   5. Walk the TPOC through each area of the XAUTH, IAUTH, RoE, and TP.

   Note: Explain as necessary and complete all pertinent items in the XAUTH, IAUTH, RoE, and TP documents. Make changes to your copy of the document as it will become the record copy. Tell the TPOC that after all the changes are made, you will send a final copy through secure email. The TORG must sign the XAUTH and return the entire document, either via fax, secure email or hard copy before the engagement can begin.

2. 
   
   1. Ask if there are any questions on the ICQ. Answer as necessary.
   2. Ask if there are any questions on the Initial PBC List. Answer as necessary and remind the TPOC that the preferred method of receiving the requested documentation is in electronic format on CD-ROM or DVD.
   3. Ask if the TORG has any questions about the preparation of the Letter of Introduction and Authorization. Tell the client that the signed originals must be sent via registered carrier and arrive at your office before any work can commence.
   4. Determine a date for delivery of the final copies of the documentation to the TORG from your EGS Licensed Partnership.
   5. Determine which method (fax, secure email or hard copy) the client prefers to use to return the signed copies of the XAUTH and RoE.
   6. Determine a “not later than” date for the return of the XAUTH, RoE and LOIA to your Partnership from the TORG.
   7. If the Information Gathering portion of the engagement will not be conducted on-site, determine a mutually acceptable date for delivery of the completed ICQ and initial PBC request data to your offices from the TORG.
   8. Determine the format preferred by the TORG for the Entrance conference:
      
      1. Informal oral briefing,
      2. Formal oral briefing with printed documentation (Talking Points paper), or
      3. Formal presentation using slide decks.
   9. Recap the meeting to ensure you have the correct information pertaining to equipment and activity prohibitions, in-processing requirements, dress code, Entrance Conference requirements and dates for delivery and receipt of all documentation.
   10. Tell the client that they can call or email at any time with questions.
   11. Provide email and contact information for any Subject Matter Experts (SME) that can also answer questions.
   12. When all client questions have been answered, end the call.
3. 
   
   1. Calendar due date of teleconference documents to client and suspense date for client to return the signed documents.
   2. Complete work on Rules of Engagement (RoE) in accordance with the information agreed to in the working teleconference. Spell check document and review for grammar and syntax errors. Save the document to YY-MM-DD**-FNBF\00_Administration\00F__ROE\** with the original file name.
   3. Complete work on Test Plan (TP) in accordance with the information agreed to in the working teleconference.
      
      1. Complete updates to the Appendices in accordance with the information agreed to in the working teleconference.
      2. Merge the applicable Appendices into YY-MM-DD**-FNBF****_TP.docx** to form a single document named YY-MM-DD**-FNBF****_TP.docx**.
      3. Spell check document and review for grammar and syntax errors. Save the document to YY-MM-DD**-FNBF****\00_Administration\00G__TP\** with the original file name.
   4. Complete work on External Testing Authorization (XAUTH) in accordance with the information agreed to in the working teleconference.
      
      1. Spell check document and review for grammar and syntax errors.
      2. Save document to YY-MM-DD**-FNBF****\00_Administration\00H__LTA\** with the original file name.
   5. Complete work on Internal Testing Authorization (IAUTH) in accordance with the information agreed to in the working teleconference.
      
      1. Spell check document and review for grammar and syntax errors.
      2. Save document to YY-MM-DD**-FNBF****\00_Administration\00H__LTA\** with the original file name.
4. 
   Note: On or before the suspense date for delivery of the final documents to the client, perform steps 1-5 below.
   
   1. Copy the YY-MM-DD**-FNBF****\00_Administration\00F__ROE\YY-MM-DD****-FNBF****_ROE.docx** to the YY-MM-DD**-FNBF****\00_Administration\00W_FECD** folder.
   2. Copy the YY-MM-DD**-FNBF****\00_Administration\00G__TP\YY-DD-MM****-FNBF** _TP.docx to the YY-MM-DD**-FNBF****\00_Administration\00W_FECD** folder.
   3. Copy the YY-MM-DD**-FNBF****\00_Administration\00H__LTA\YY-MM-DD****-FNBF****_XAUTH.docx** to the YY-MM-DD**-FNBF\00_Administration\00W_FECD** folder.
   4. Copy the YY-MM-DD**-FNBF****\00_Administration\00H__LTA\YY-MM-DD****-FNBF****_IAUTH.docx** to the YY-MM-DD**-FNBF****\00_Administration\00W_FECD** folder.
   5. Move the contents of the YY-MM-DD**-FNBF****\00W_FECD** folder to an archive, naming the archive file as YY-MM-DD**-FNBF****_FECD.zip**.

   ECD = Engagement Control Documents
5. 
   
   1. Navigate to: YY-MM-DD**-FNBF\00_Administration\00L_ECL\** and open the YY-MM-DD**-FNBF****_ECL.xlsx** file.
   2. Navigate to the Document_Control sheet.
   3. Add the entries as required to account for all documents to be sent to the client in the Final Engagement Control Documents packet from Task 18 above.
   4. Enter the Date Sent, Date Required and name of the person to whom each document was sent, if applicable.
   5. Save the file with the original file name.
6. 
   
   1. Compose an email to the client POC telling them that the email attachment contains the final copies of the documentation as modified during the working teleconference.
   2. Remind them to maintain proper security of the attached documents once they begin working on the contents.
   3. Tell them that you will make a follow-up telephone call on the next business day to verify receipt of this email and the attached documents.
   4. Remind them that they can call or email if they have any questions.
   5. Include your office and mobile telephone numbers if they are not included in your signature block.
   6. Attach the YY-MM-DD**-FNBF****_FECD.zip** archive file into the body of the email.
   7. Configure the email for Delivery Receiptand Read Receipt and send to the client POC via secure email.
   8. Set a reminder to call the POC the next business day in your calendar program.

   FECD = Final Engagement Control Documents
7. 
   
   1. On the next business day, check for a “delivery receipt” and “read receipt” from the client POC.
   2. Regardless of whether or not the receipts have arrived, contact the client POC via telephone and verify receipt of the email containing the final copies of the engagement control documentation.
   3. If the packet was received, remind the client POC that you can be contacted at any time if they have questions.
   4. If the packet was not received, arrange to re-send the information.
   5. Monitor suspense dates for various items.
   6. If documents have not been received by the next business day after the agreed upon suspense date, contact the TPOC to determine the reason for the delay.
8. 
   
   1. Navigate to YY-MM-DD-FNBF**\00_Administration\00M_EC\** and rename the EC_Attendeevx.x.docx file to YY-MM-DD**-FNBF****_EC_Attendee.docx**.
   2. Modify the information as necessary to personalize the attendee sheet to the client, and save the file.
   3. Navigate to YY-MM-DD**-FNBF****\00_Administration\00M_EC\** and rename the EC_Briefvx.x.docx file by prefixing “YY-MM-DD**-FNBF****_**” to the filename. Delete “vx.x” from the end of the file name so that the file is now named YY-MM-DD**-FNBF****_EC_Brief.docx**.
   4. Open the YY-MM-DD**-FNBF****_EC_Brief.docx** file.
   5. Modify the information as necessary to personalize the presentation to the client, your EGS Partnership and the personnel assigned to the engagement.
   6. Save the file.
   7. Navigate to YY-MM-DD**-FNBF****\00_Administration\00M_EC\** and rename the EC_Presvx.x.pptx file by prefixing “YY-MM-DD**-FNBF****_**” to the filename. Delete “vx.x” from the end of the file name so that the file is now named YY-MM-DD**-FNBF****_EC_Pres.pptx**.
   8. Modify the information as necessary to personalize the presentation to the client, your EGS Partnership and the personnel assigned to the engagement.
   9. Save the file with the original file name.

   Note:
   1). Which steps are actually performed in the task above will depend on the TORG's preferred format for the Entrance Conference.
   2). Steps 1-3 are always performed, regardless of the format requested. Steps 4-7 are executed when the TORG prefers an oral briefing with documentation. Steps 8-10 are performed for a formal presentation with slide decks.
   3). It is perfectly acceptable to present a briefing using both hard copy documentation and slide decks.

9. 
   
   1. Navigate to YY-MM-DD-FNBF**\01_SISGCA\01J_Draft_Rpt\** and rename the SISGCAvx.x.docx file by prefixing “YY-MM-DD**-FNBF****_**” and deleting “vx.x” from the end of the file name so that the file is now named YY-MM-DD**-FNBF****_SISGCA.docx**.
   2. Open the file.
   3. Navigate to the transmittal letter in the document (page 4).
   4. Navigate to YY-MM-DD**-FNBF****\01_SISGCA\01J_Draft_Rpt\** and open the Draft_verbiage.docx file.
   5. Copy the paragraph after <INSERT THE FOLLOWING FOR THE DRAFT REPORT>
   6. Paste the copied paragraph at the location of <<<Insert Draft or Final Verbiage Here>>> in the YY-MM-DD**-FNBF****_SISGCA.docx** file.
   7. Review the remainder of the document, personalizing the content for the client and inserting any known information, and deleting any sections or services that will not be used or performed during the engagement.
   8. Save the document.

   SISGCA refers to Selected Information Systems General Controls Assessments
10. 
    
    1. Navigate to YY-MM-DD**-FNBF****\01_SISGCA\01I_FEB\** and rename the FEB_Attendeevx.x.docx file by prefixing “YY-MM-DD**-FNBF****_**” to the filename. Delete “vx.x” from the end of the file name so that the file is now named YY-MM-DD**-FNBF****_FEB_Attendee.docx**.
    2. Navigate to YY-MM-DD**-FNBF****\01_SISGCA\** and rename the 01I_FEB\PEBvx.x.pptx file by prefixing “YY-MM-DD**-FNBF****_**” to the filename. Delete “vx.x” from the end of the file name so that the file is now named YY-DD-MM-FNBF**_PEB.pptx**.
    3. Open the YY-DD-MM**-FNBF****_PEB.pptx** file.
    4. Modify the information as necessary to personalize the presentation to the client, your EGS Partnership and the personnel assigned to the engagement.
    5. Save the file.
    6. Navigate to YY-DD-MM**-FNBF****\01_SISGCA\01I_FEB\** and rename the PERvx.x.docx file by prefixing “YY-DD-MM**-FNBF****_**” to the filename. Delete “vx.x” from the end of the file name so that the file is now named YY-DD-MM**-FNBF****_PER.docx**.
    7. Open the YY-DD-MM**-FNBF****_PER.docx** file.
    8. Modify the information as necessary to personalize the report to the client, and the engagement.
    9. Save the file.
11. 
    Notes:
    1). This task is not performed until the client has returned a signed copy of the RoE to your EGS Licensed Partnership.
    2). This task is composed of two sub-tasks. Which subtask you perform depends on how the client has returned the signed copy of the RoE. If the client returns the signed RoE in hard copy or by fax, perform Task 25a. If the client returns the signed RoE via secure email, perform Task 25b.
12. 
    
    1. Notify the TPOC that the document has been received either via telephone or email.
    2. Review the document for proper completion.
    3. If completed incorrectly:
    4. Notify the TPOC,
    5. Explain what is incorrect,
    6. Request a correctly completed copy, and
    7. Destroy the incorrect copy.
    8. Once a correct copy has been received, perform the remaining steps below:
    9. Scan the copy to a single TIFF image.
    10. Save the file to YY-DD-MM**-FNBF****\00_Administration\00F_ROE** folder, naming the file YY-DD-MM**-FNBF****_FROE.tif**.
    11. Use an MD5 calculator to create an MD5 checksum for the YY-DD-MM**-FNBF****_FROE.tif** document.
    12. Create a text file and copy the checksum to that file.
    13. Save the text file in YY-DD-MM**-FNBF****\00_Administration\00F_ROE** folder as YY-DD-MM**-FNBF****_FROE_hash.txt**.
13. 
    
    1. Notify the TPOC that the document has been received.
    2. Save the attachment to YY-DD-MM**-FNBF\00_Administration\00F_ROE** folder.
    3. If the client has included an MD5 checksum with the document, save the checksum to the same location as the signed copy of the RoE.
    4. Use an MD5 calculator to compare the MD5 of the received document with the MD5 sent by the client:
    a. If both MD5 hashes match, proceed to step 5, else:
    i. Inform TPOC that MD5 does not match, and
    ii. Request a matching set of documents.
    iii. When a matching set has been received, proceed to step 5.
    
    5. Review the document for proper completion:
    a. If the document is correct, proceed to step 6, else:
    i. Notify the TPOC,
    ii. Explain what is incorrect,
    iii. Request a correctly completed copy, and
    iv. Destroy the incorrect copy.
    v. Once a correct copy exists, proceed to step 6.
    
    6. If no MD5 checksum was received, use an MD5 calculator to create an MD5 checksum for the file.
    7. Create a text file and copy the checksum to that file.
    8. Name the file YY-DD-MM**-FNBF_FROE_hash.txt**.
    9. Save the checksum file in the same location as the record copy of the RoE.
    10. Send a copy of YY-DD-MM**-FNBF_FROE_hash.txt** to the client for their records.
14. 
    Notes:
    1). This task is not performed until the client has returned a signed copy of the XAUTH to your EGS Licensed Partnership.
    2). This task is composed of two sub-tasks. Which subtask you perform depends on how the client has returned the signed copy of the XAUTH. If the client returns the signed XAUTH in hard copy or by fax, perform Task 26a. If the client returns the signed XAUTH via secure email, perform Task 26b.
15. 
    
    1. Notify the TPOC that the document has been received either via telephone or email.
    2. Review the document for proper completion:
       
       1. If completed correctly, proceed to step 3, else:
       2. Notify the TPOC,
       3. Explain what is incorrect,
       4. Request a correctly completed copy, and
       5. Destroy the incorrect copy.
       6. Once a correct copy exists, proceed to step 3.
    3. Scan the copy to a single TIFF image .
    4. Save the file to YY-DD-MM**-FNBF\00_Administration\00H_LTA** folder, naming the file YY-DD-MM**-FNBF_FXAUTH.tif**.
    5. Create a text file and copy the checksum to that file.
    6. Name the file YY-DD-MM**-FNBF_FXAUTH_hash.txt**.
    7. Save the checksum file in the same location as the record copy of the XAUTH.
16. 1. Notify the TPOC that the document has been received either via telephone or email.
    
    2. Save the attachment to YY-DD-MM**-FNBF\00_Administration\00H_LTA** folder.
    3. If the client has included an MD5 checksum with the document, save the checksum to the same location as the signed copy of the XAUTH.
    4. Use an MD5 calculator to compare the MD5 of the received document with the MD5 sent by the client:
       a. If they match, proceed to step 5, else:
       i. Inform TPOC that MD5 does not match and
       ii. Request a matching set of documents.
       iii. When a matching set of documents has been received, proceed to step 5.
    5. Review the document for proper completion:
       a. If completed correctly, proceed to step 6, else:
       i. Notify the TPOC,
       ii. Explain what is incorrect,
       iii. Request a correctly completed copy, and
       iv. Destroy the incorrect copy
       v. Once a correct copy exists, proceed to step 6.
    6. If no MD5 checksum was received, use an MD5 calculator to create an MD5 checksum for the file.
    7. Create a text file and copy the checksum to that file.
    8. Name the file YY-DD-MM**-FNBF_FXAUTH_hash.txt**.
    9. Save the checksum file in the same location as the record copy of the XAUTH.
    10. Send a copy of YY-DD-MM**-FNBF_FXAUTH_hash.txt** to the client via secure email for their records.
17. 
    
    1. Navigate to YY-DD-MM**-FNBF****\00_Administration\00B_ProjPlan\** and open the YY-DD-MM**-FNBF****_ProjPlan.pod** file.
    2. Modify the information as necessary to update the project plan based on the tasks performed in this work area