Veteran Owned

Offensive & Defensive PENETRATION TESTING POLICY

Cyber Security Company

Overview
Purpose
This policy framework document provides guidance for managing a
penetration testing program and performing penetration testing activities with
the goal of improving defensive IT security for {Company Name}'s
infrastructure, systems, services, and applications. This document defines the
roles and responsibilities of {Company Name}'s executives, managers, and
IT security team personnel as well as external third-party security service
providers.

This document also outlines a set of penetration testing activity terminology,

definitions, scopes, limitations, and procedures that should be applied to
ensure reliable and effective penetration test activities. This policy document
also describes the high-level goals of {Company Name}'s penetration testing
program as well as any formal requirements defined by {Company Name}'s
responsibilities to its customers and partners through contracts, service level
agreements, or compliance standards, and specific penetration testing
activities that should be conducted to meet these goals and requirements.

Scope
The general scope of this policy applies to all equipment owned and/or
operated by {Company Name}, and to employees connecting to any
{Company Name}-owned network domains or cloud applications managed
by {Company Name}.

Defining the general scope of this policy ensures that penetration test
activities are focused on relevant components and safeguard {Company
Name} against violating authorized system boundaries.

All penetration testing activity conducted on equipment owned or controlled

by {Company Name} must conform to all national and regional

1|Page
 Veteran Owned
Offensive & Defensive PENETRATION TESTING POLICY
Cyber Security Company

laws that govern the physical location of the asset and the nature of the data,
as well as any acceptable use policy limitations imposed by the contracts and
agreements between {Company Name} and third-party infrastructure service
providers and application licenses.

It should also be noted that this policy document does not provide a
comprehensive definition of all scenarios, terminology, and activities that
may be encountered during penetration testing activities. Therefore, all
parties should also use their best judgment when performing pen testing
activities and communication should be used to clarify any potentially
conflicting situations.

Policy Goals
The primary goal of {Company Name}'s penetration testing program is to
identify security gaps impacting the Confidentiality, Integrity, and
Availability (CIA Triad) of all systems and data used by {Company Name}.
Ultimately, the discovery of vulnerabilities shall facilitate risk remediation in
line with internal corporate governance objectives. This includes meeting
both internal risk objectives and external IT security standards including PCI-
DSS for merchant payment processing and SOC-2 for the protection of
customer personal data, <List Additional Compliance Frameworks>.

Penetration Testing Policy Definitions

A penetration test is a simulated cyber-attack used to identify software
vulnerabilities and security gaps, misconfigurations, and business logic flaws.
The rest of this section defines key terminology and penetration testing types
that may be encountered within this policy document or other related policy
documents.

General Penetration Testing Terminology

2|Page
 Veteran Owned
Offensive & Defensive PENETRATION TESTING POLICY
Cyber Security Company

 Activity - refers to individual penetration testing processes that are

conducted by the penetration testing team
 Engagement - a set of multiple penetration testing activities that
comprise a single test defined by a specific service level agreement
(SLA) and rules of engagement (RoE) documents and resulting in a
single report
 Target - any asset, infrastructure, device, network, application, or data
that is within the scope of a particular penetration testing engagement
 White box tests - refer to tests conducted by those with knowledge of
the internal workings of target systems
 Grey box tests - refers to tests conducted by those with some limited
knowledge of the internal workings of target systems
 Black box tests - refer to tests conducted by those with no knowledge
of internal workings
 Service level agreement (SLA) - a document related to a single
penetration testing engagement that contains the level of service
expected and may include metrics by which service is measured
 Rules of Engagement (RoE) - a document related to a single
penetration testing engagement that contains the formal approvals,
authorizations, scope, and other general guidelines or formal objectives
necessary to execute a penetration testing engagement
 External tests - security testing conducted from outside <Company
Names>'s network security perimeter
 Internal tests - security testing conducted from inside <Company
Names>'s network security perimeter
 CIA Triad - refers to fundamental IT security components of
Confidentiality, Integrity, and Availability

Penetration Testing Engagement Types

3|Page
 Veteran Owned
Offensive & Defensive PENETRATION TESTING POLICY
Cyber Security Company

{Company Name}'s penetration testing program will include the categories

of testing engagements described below.

Network Testing
Network penetration testing is to identify any exposed vulnerabilities and
security weaknesses in <Company Names>'s network infrastructure that
includes but is not limited to servers, firewalls, switches, routers, printers,
workstations, security appliances, peripherals, and any software applications,
services, or APIs within <Company Names>'s network environment. Both
internal and external activities shall be performed as separate engagements.
Additionally, network penetration testing activities may include credentialed
and non-credentialed testing activities to provide increased protection against
attacks that may happen from sensitive internal network positions.

The high-level goals of network penetration testing should include testing all
potential MITRE CVE vulnerabilities and attempting to evaluate the
resilience against known attacker TTP included in the MITRE ATT&CK
framework.

Web Application Testing

Web application penetration testing is to identify any vulnerability, security
flaws, or threats in web applications owned by <Company Names>.
Activities may use any known malicious attacks on the application including
both manual and automated penetration testing activities.

The high-level goals of web-application penetration testing should include all

vulnerabilities listed in the OWASP Top Ten web-application vulnerabilities,
MITRE CWE software weaknesses, and attempt to evaluate the application's
resilience against known attacker TTP included in the MITRE ATT&CK
framework.

4|Page
 Veteran Owned
Offensive & Defensive PENETRATION TESTING POLICY
Cyber Security Company

Wireless testing
Wireless penetration tests seek to assess <Company Names>'s wireless
network security for all of the CIA Triad components. Targets should include
any workstations, laptops, tablets, smartphones, and printers, as well as any
other peripherals and IoT devices. Testing activities should also
comprehensively include all wireless protocols used by <Company Names>'s
infrastructure.

Wireless penetration testing should verify that wireless access points (AP) are
segmented with respect to guest wireless networks and internal corporate
wireless networks. This includes testing that <Company Names>'s wireless
access points appropriately restrict access to <Company Names>'s corporate
wireless networks and that no information about <Company Names>'s
internal network can be accessed by attackers.

Other high-level goals of wireless penetration testing are to ensure that all
data passing over the wireless channels is protected from discovery by an
attacker, that wireless networks are reliable and available, and that data
passing over the wireless network cannot be modified by an attacker.

Social Engineering
Social engineering penetration testing is to increase security assurances to
<Company Names>'s to business operations by testing personnel resilience to
social engineering attacks and providing user awareness training where
weaknesses are uncovered.

5|Page
 Veteran Owned
Offensive & Defensive PENETRATION TESTING POLICY
Cyber Security Company

Social engineering penetration testing should include both technical and non-
technical attempts to persuade or trick <Company Names>'s staff into
performing actions that may reveal sensitive information. This should include
both directly providing the sensitive information to an attacker, or performing
actions that may result in giving an attacker access to sensitive information
such as executing files provided by an attacker.

The high-level goal of social engineering pen testingactivities is to educate

personnel about the potential implications of the actions they perform in their
day-to-day duties, and the various contexts in which a cyber-attack may
involve them.

Physical Testing
Physical penetration testing seeks to gain access to restricted physical
locations within <Company Names>'s buildings, critical IT infrastructure,
systems, data, or employees. The primary benefit of a physical penetration
test is to expose weaknesses and vulnerabilities in physical controls including
but not limited to locks, elevators, barriers, surveillance cameras or systems,
and access control technologies such as access card readers and biometric
scanners.

The high-level goal of physical penetration testing is to eliminate security

weaknesses that provide unauthorized physical access to <Company
Names>'s assets.

Penetration Testing Perspectives

6|Page
 Veteran Owned
Offensive & Defensive PENETRATION TESTING POLICY
Cyber Security Company

Both internal and external testing will be performed in order to achieve the
most comprehensive visibility into <Company Names> network security
resilience.

External security testing is conducted from outside <Company Names>'s

network security perimeter — as seen from the Internet — to simulate the
behavior of an attacker who has not penetrated the network or gained access
to <Company Names>'s internal systems. This type of attack seeks to
simulate the first stages of a cyber-attack where the attacker performs
activities such as reconnaissance, passive or active scanning of the external
attack surface, and weaponizing and deploying attacks that seek to gain initial
access to <Company Names>'s network. The high-level goal of external
penetration testing is to reduce the external attack surface of <Company
Names>'s public IP endpoints and reveal as little information to attackers as
possible.

Internal security testing is conducted from within the security perimeter and
is meant to simulate a cyber-attack by a trusted insider or an attacker who has
gained initial access to <Company Names>'s network. The high-level goal of
internal security testing is to verify that a "defense in depth" approach is
effectively protecting <Company Names>'s assets, systems, and data at all
positions and layers within the network.

Roles And Responsibilities

Maintaining a clear set of roles and responsibilities is critical for the
execution of a reliable, effective, and efficient penetration testing program
that is able to satisfy the program's intended goals and requirements. The
following section outlines the responsibilities of each stakeholder of the
penetration testing program. These responsibilities include management of

7|Page
 Veteran Owned
Offensive & Defensive PENETRATION TESTING POLICY
Cyber Security Company

{Company Name}'s risk requirements, governance of the penetration testing

program, scoping each penetration testing engagement, scheduling, and
planning penetration testing activities, and ensuring that {Company Name}'s
development and production systems and data are properly prepared for the
penetration testing process.

The rest of this section defines the individual responsibilities for each specific
stakeholder role.

CEO/CISO
The CEO and/or CISO is responsible for the overall governance of
{Company Name}'s penetration testing program. This includes setting high-
level goals and requirements and approving documents that grant the explicit
permission for each pen testing engagement and outlines the expectations and
limitations of each engagement. Under the direction of the CEO and/or CISO
specific target goals will be set including any compliance standard
requirements that must be met by the penetration testing program's activities.

A summary of CEO and/or CISO responsibilities includes:

● Develops and relays the program's high-level goals and requirements.

● Develops the program's overall scope.
● Directs the development of the pen testing engagement schedule
● Outlines communication requirements for the program.
● Outlines the general requirements for pen testing SLAs and RoEs.
● Approves the pen testing SLAs and RoEs, schedule, budget, and types
of pen testing engagements to be conducted.

8|Page
 Veteran Owned
Offensive & Defensive PENETRATION TESTING POLICY
Cyber Security Company

● Signs each pen testing engagement SLA and RoE.

System Owner/Department Lead

The System Owner/Department Lead represents the IT system administrator
who is responsible for the specific network, systems, and data targeted by a
specific pen testing engagement. The System Owner/Department Lead is
tasked with monitoring during the engagement and preparing the target
environment for penetration testing activities by ensuring adequate failover
servers and backups required for the restoration of systems to full
functionality in the case of unexpected damage caused by penetration testing
activities. The System Owner/Department Lead is also tasked with
provisioning any resources such as network access and user accounts
required for the pen testing engagement.

A summary of System Owner/Department Lead responsibilities includes:

● Collects and manages system backups for all targets of a penetration

testing engagement.
● Provisions and provides pen testers with network access to any required
accounts.
● Provides pen testers with any required information for white-box or
grey box tests.
● Defines an acceptable penetration testing time window for the target
systems.
● Signs the rules of engagement RoE.
9|Page
 Veteran Owned
Offensive & Defensive PENETRATION TESTING POLICY
Cyber Security Company

● Mitigation of vulnerabilities discovered during the pen testing

engagement.

Pen Testing Lead Manager

The Pen testing Lead Manager may be an internal employee of {Company
Name} or an assigned manager of a penetration testing engagement with a
third-party penetration testing service provider and is responsible for
planning and overseeing each pen testing engagement and penetration testing
activities such that they adhere to the guidance provided by the pen testing
frameworks listed in Section 5.i "Relevant sources of penetration testing
activity scope". The ultimate responsibility of the Pen testing Lead Manager
is to seek to identify all types of vulnerabilities within {Company Name}'s IT
infrastructure that includes, but is not limited to those found within Section
5.i "Relevant sources of vulnerability information". All planned and executed
activities must be considered ethical, legal, and in line with any existing
contractual obligations and limitations between {Company Name} and third-
party service and infrastructure providers.

All penetration testing engagements will be explicitly approved by

{Company Name}'s executive management including the Chief Executive
Officer (CEO) and/or Chief Information Security Officer (CISO) prior to
execution. This explicit permission will be formalized in an SLA that will be
signed by members of {Company Name}'s executive management, the
System Owner/Department Lead, the Pen testing Lead Manager, and all pen
testing team members.

A summary of Pen testing Lead Manager responsibilities include:

● Manages the schedule of penetration testing engagements and related

responsibilities.

10 | P a g e
 Veteran Owned
Offensive & Defensive PENETRATION TESTING POLICY
Cyber Security Company

● Selects and plans appropriate penetration testing activities based on

each engagement's scope to meet the minimum requirements outlined
in this document and any additional requirements specified by
{Company Name}'s CEO and/or CISO executives.
● Develops appropriate RoE documents and submit them for approval by
the CEO and/or CISO prior to pen testing engagement begins.
● Schedules meetings with pen testing team members to explain each
engagement's SLA and RoE.
● Assigns specific tasks to penetration testing team members.
● Oversees penetration testing activities and ensures that activities are
conducted properly.
● Ensures that evidence is collected and oversees the writing of reports to
relay the findings uncovered by each pen testing engagement.
● Signs the SLA and RoE for each pen testing engagement.
● Ensures all penetration team members sign the required SLA and RoE
for each pen testing engagement.

Pen Testing Team Members

The Pen testing Team Members may be internal employees of {Company
Name} or direct employees of a third-party penetration testing service
provider and are responsible for performing activities similar to those of a
malicious actor with the purpose of simulating a real-world cyber-attack. All
activities will be conducted ethically and must have explicit permission from
the Pen testing Lead Manager who is acting on behalf of {Company Name}'s
executive management including the CEO and/or CISO. This explicit
permission will be formalized in a penetration testing service level agreement
that will be signed by each individual Pen testing Team Member.

The summary of the general responsibilities of Pen testing Team Members

include:

11 | P a g e
 Veteran Owned
Offensive & Defensive PENETRATION TESTING POLICY
Cyber Security Company

● Following the direction of the Pen testing Lead Manager.

● Performing and properly documenting penetration test activities.
● Compiling detailed information for each discovered vulnerability.
● Providing a risk score and rating for each discovered vulnerability.
● Compiling remediation recommendations for each discovered
vulnerability.
● Verifying the remediation of each discovered vulnerability during
retesting.
● Signing the required pen testing SLA and/or ROE.

Backup Strategy
Adequate backups and fail-over systems must be in place before a pen testing
engagement begins. It is critical that the existence of these recovery systems
is confirmed by the System Owner/Department Lead and acknowledged by
the Pen testing Lead Manager before testing begins. It's also critical that the
System Owner/Department Lead has enough personnel available during
testing activity to make a full recovery of the target systems from backup in
the event of an adverse security incident.

If an incident causes a negative impact on the target systems the full recovery
of systems according to the mean time to recovery (MTTR), recovery point
objective (RPO), and recovery time objective (RTO) specified in each
{Company Name} department's data security policy must be possible.

12 | P a g e
 Veteran Owned
Offensive & Defensive PENETRATION TESTING POLICY
Cyber Security Company

Communication Paths
During each pen testing engagement, it's important to ensure all parties
involved are aware of {Company Name}'s pen testing communication
policies. This protects the security of <>'s business operations during the pen
testing process and supports the secure, reliable, effective, and efficient
management of a pen testing engagement.

A summary of mandatory communication requirements during penetration

testing engagements:

● Pen testing Lead Manager must have close communication with all
assigned Pen testing Team Members throughout a pen testing
engagement.
● All information including reports and emergency incident alerts
communicated between the Pen testing Team Members and the System
Owner/Department Lead should go through the Pen testing Lead
Manager.
● Pen testing Team Members and Pen testing Lead Manager must have a
direct line of contact during all penetration testing activities to enable
an immediate response to potential critical security incidents,
unexpected discoveries.
● In the case that a vulnerability is discovered with an actual or estimated
CVSS score of 8.5 or higher, that information should be provided

13 | P a g e
 Veteran Owned
Offensive & Defensive PENETRATION TESTING POLICY
Cyber Security Company

directly to the relevant System Owner/Department Lead within 24

hours of the discovery.
● After the completion of a pen testing engagement, Pen testing Lead
Manager should provide the documented results to the System
Owner/Department Lead in a timely manner to allow for the
remediation of discovered vulnerabilities.
● After the completion of a pen testing engagement, Pen testing Lead
Manager should provide the documented results to the CEO and/or
CISO to allow a risk reassessment of business operations.
● After the delivery of reports the System Owner/Department Lead,
System Owner/Department Lead, and CISO will meet directly to
discuss remediation and review the management of any remaining
vulnerabilities such as transferring or accepting the risk.
● After the full remediation of all vulnerabilities, the System
Owner/Department Lead should notify the Pentesting Lead Manager so
that retesting to verify the effectiveness of the remediation steps

Pen testing Activity Scope And Limitations

Each penetration testing engagement has a scope that defines what is being
tested and the engagement's limitations. High-level goals for each type of
engagement can be found in Section 2 "Penetration Testing Policy
Definitions" and sources of granular scope can be found in Section 5.i "Pen
testing Frameworks And Cyber-Threat Intelligence". Each engagement may
also include specific requirements and contractual obligations such as service
level agreements with {Company Name}'s customers, users, and compliance
with formal IT security standards.

The scope of each engagement must also not fall outside of the bounds of any
applicable national or regional regulations or {Company Name}'s contractual
obligations. The scope should be developed into a formal RoE document by

14 | P a g e
 Veteran Owned
Offensive & Defensive PENETRATION TESTING POLICY
Cyber Security Company

the Pen testing Lead Manager and approved by the CEO/CISO prior to the
start of the engagement.

It is the responsibility of the Pen testing Lead Manager to translate the

approved RoE into pen testing activities that are appropriate for achieving the
high-level and engagement-specific requirements of each engagement.

Although the penetration testing frameworks and sources of cyber-threat

intelligence listed in Section 5.i below serve as a general starting point for
scoping the design of penetration testing activities, in certain situations

such as those described above, special consideration may be required when

planning testing activities.

Pen testing Frameworks And Cyber-Threat Intelligence

The Pen testing Lead Manager is responsible for planning and implementing
pen testing activities to verify that {Company Name}'s assets, systems, and
data are resilient to common known vulnerabilities and attacks described in
reliable IT security information repositories and penetration testing
frameworks. This includes repositories of specific known vulnerabilities that
have been identified in the hardware and software used in {Company
Name}'s IT environment and other cyber-attack tactics, techniques, and
procedures documented as threat actor methodology. The lists below
highlight some common examples of penetration testing methodology and
sources of known vulnerabilities and cyber-attack strategies.

Relevant sources of standard penetration testing activity scope

● OWASP Testing Guide 4.1

● PTES Penetration Testing Execution Standard

15 | P a g e
 Veteran Owned
Offensive & Defensive PENETRATION TESTING POLICY
Cyber Security Company

● PTES-TG Penetration Testing Execution Standard Technical

Guidelines

Relevant sources of vulnerability information

● CWE/SANS TOP 25 Most Dangerous Software Errors

● OWASP Serverless Top 10
● OWASP Top 10
● MITRE ATT&CK
● MITRE Common Vulnerability Enumeration (CVE)
● MITRE Common Weakness Enumeration (CWE)

Rules of Engagement
An RoE document for each pen testing engagement must be developed by the
Pen testing Team Lead and submitted for approval by the CEO and/or CISO
prior to the start of any penetration testing activity.

At a minimum RoE must contain the following information:

● The type of penetration test being conducted,

● A list of target systems with their IP address and hostname,
● Any limitations on the type of activities that can be used against the
target systems,
● Any formal compliance standards that are being attested by the
engagement,
● Contact information in case of an adverse event that causes damage to
the target systems,

For some engagements, regular meetings may also be scheduled between the
System Owner/Department Lead and the Pentesting Team Lead and between
the Pentesting team members and the Pentesting Team Lead to review

16 | P a g e
 Veteran Owned
Offensive & Defensive PENETRATION TESTING POLICY
Cyber Security Company

engagement status reports issued by the testing team. These meetings can
relay what vulnerabilities have been found up to that point and estimate the
engagement completion time. The Owner/Department Lead can also relay
whether IT security detection systems have issued any alerts resulting from
the pentesting activities.

If sensitive information about the company, the system, and/or its users is
discovered during the engagement, sensitive data handling procedures must
be followed which should be formally documented in the RoE. These special
procedures should include proper storage and communication measures that
should be taken (for example, full disk encryption on the

testers’ computers, and encrypting reports if they are sent by email). Any
applicable regulatory laws, data privacy laws, and formal contractual
requirements may dictate that only authorized personnel view sensitive data.

Pen testing Production Systems

Special considerations are required for penetration testing {Company
Name}'s production systems in addition to standard testing procedures. These
special conditions are listed below.

● Ensure that fail-over servers are online and functioning normally prior
to the start of testing activities.
● Monitor the availability of production systems during the penetration
testing activities.
● Stop testing immediately and notify the Pen testing Lead Manager and
System Owner/Department Lead immediately if unauthorized access is
achieved on production systems.
● Stop testing immediately and notify the Pen testing Lead Manager and
System Owner/Department Lead immediately if a previously unknown
vulnerability on a production system with a CVSS V3 criticality rating
above 7.0 (level high or critical) is discovered.
17 | P a g e
 Veteran Owned
Offensive & Defensive PENETRATION TESTING POLICY
Cyber Security Company

● Do not conduct any type of Denial of Service (DoS) attacks directly on

production servers unless special authorization has been granted by the
CEO and/or CISO.

The Penetration Testing Process

The pen testing procedure described in this document is used for testing and
assessing the security posture of {Company Name}'s IT environment,
information systems, and data. Each engagement should include activities
within each phase of the testing process described in this policy to ensure that
engagements produce a holistic and reliable set of findings. The results from
each engagement should be organized into a report and used to remediate
vulnerabilities and improve {Company Name}'s overall cyber resilience. Test
findings should not be used to exclude other security processes.

Each pen testing engagement involves a testing process with four primary
phases. These primary phases are described in the sections below.

Information Gathering
The information gathering phase is intended to facilitate the discovery and
recording of potentially exploitable vulnerabilities. Information gathering is
critical to mapping the target system's attack surface.

18 | P a g e
 Veteran Owned
Offensive & Defensive PENETRATION TESTING POLICY
Cyber Security Company

The information gathering process should include methods of collecting data

from publicly available sources of threat intelligence (also known as open
source intelligence / OSINT) and from data sources that can be accessed from
within {Company Name}'s internal network. The information gathering
process will also include probing system entry points for flaws that can be
used to generate errors, disrupt normal functions, gain unauthorized access to
data, or gain control of a system.

During the information gathering phase, Pen testing Team Members must
maintain documentation of all information collected as a record and
accounting of the specific actions taken during the test for use in subsequent
stages of the engagement and in the final report.

Information gathering activities should include but are not strictly limited to:

● Discovering OSINT that pertains to {Company Name} and to the

systems, software, and hardware that {Company Name} uses
● Enumerating the public network interfaces/IP addresses of {Company
Name}'s corporate network and {Company Name}'s cloud
infrastructure
● Identifying system architecture and components within {Company
Name}'s internal corporate network
● Mapping application flow and design
● Mapping internal business processes

Exploitation
The exploitation phase is intended to determine whether vulnerabilities can
be exploited in order to gain unauthorized access to systems and/or data. This
phase depends on the information collected during the vulnerability discovery
phase. During the exploitation phase, it is especially important to closely
19 | P a g e
 Veteran Owned
Offensive & Defensive PENETRATION TESTING POLICY
Cyber Security Company

consider the established RoE and only perform activities that conform with
the specifications outlined in that document.

During the exploitation phase, the Pen testing Team Lead and the Pen testing
Team Members must maintain documentation of all information collected as
a record and accounting of the specific actions taken during

the test for use in subsequent stages of the engagement and in the final report.
The System Owner/Department Lead should have access to all
documentation during the pen testing process but are not authorized to
remediate any of the discovered vulnerabilities until after the engagement
window ends unless the engagement RoE has defined special circumstances.

Exploitation activities should include, but are not strictly limited to:

● Business process/logic or design flaws:

○ Registration flaws
○ Account/password reset attacks
○ Registration and account spoofing
○ Input validation flaws
○ Parameter manipulation
○ Authentication bypass
○ File, command, or script injection
○ Privilege escalation
○ Other forms of unauthorized access
○ Social engineering attacks
● Configuration flaws:
○ Default access credentials
○ Unauthorized access to administration commands, or systems
○ Unpatched software and services
○ Access relationship/token forgery
○ Open service abuse

20 | P a g e
 Veteran Owned
Offensive & Defensive PENETRATION TESTING POLICY
Cyber Security Company

○ Internal/shared configurations
○ Unauthorized access to sensitive documents

Documentation And Reporting

The documentation phase is intended to provide a summary of findings and
in-depth details about the findings. The final deliverable report will include a
summary section that lists each testing activity conducted, the findings, and
an analysis of the vulnerability's severity if a vulnerability was found. The
final report will also include a main body that describes in-depth details for
each vulnerability successfully exploited including specific steps taken to
exploit the vulnerability, and evidence and links to any data that was accessed
or other sensitive information that was gathered such as usernames and
passwords, client certificates, or sensitive documents.

The description of an exploited vulnerability's severity should include a

CVSS V3 severity rating, score, and vector string. The CVSS V3 rating,
score, and vector string will be used to determine the ultimate risk to
{Company Name}'s business operations. The final deliverable report will
also include recommendations for mitigation or a technical solution for each
exploited vulnerability.

The Pen testing Team lead should deliver each engagement's documentation
and final report to the Owner/Department Lead and the CEO and/or CISO in
a timely manner after the pen testing engagement activities have been
completed.

21 | P a g e