Sample Penetration Testing Policy Template
Sample Penetration Testing Policy Template
Sample Penetration Testing Policy Template
Overview
Purpose
This policy framework document provides guidance for managing a
penetration testing program and performing penetration testing activities with
the goal of improving defensive IT security for {Company Name}'s
infrastructure, systems, services, and applications. This document defines the
roles and responsibilities of {Company Name}'s executives, managers, and
IT security team personnel as well as external third-party security service
providers.
Scope
The general scope of this policy applies to all equipment owned and/or
operated by {Company Name}, and to employees connecting to any
{Company Name}-owned network domains or cloud applications managed
by {Company Name}.
Defining the general scope of this policy ensures that penetration test
activities are focused on relevant components and safeguard {Company
Name} against violating authorized system boundaries.
1|Page
Veteran Owned
Offensive & Defensive PENETRATION TESTING POLICY
Cyber Security Company
laws that govern the physical location of the asset and the nature of the data,
as well as any acceptable use policy limitations imposed by the contracts and
agreements between {Company Name} and third-party infrastructure service
providers and application licenses.
It should also be noted that this policy document does not provide a
comprehensive definition of all scenarios, terminology, and activities that
may be encountered during penetration testing activities. Therefore, all
parties should also use their best judgment when performing pen testing
activities and communication should be used to clarify any potentially
conflicting situations.
Policy Goals
The primary goal of {Company Name}'s penetration testing program is to
identify security gaps impacting the Confidentiality, Integrity, and
Availability (CIA Triad) of all systems and data used by {Company Name}.
Ultimately, the discovery of vulnerabilities shall facilitate risk remediation in
line with internal corporate governance objectives. This includes meeting
both internal risk objectives and external IT security standards including PCI-
DSS for merchant payment processing and SOC-2 for the protection of
customer personal data, <List Additional Compliance Frameworks>.
2|Page
Veteran Owned
Offensive & Defensive PENETRATION TESTING POLICY
Cyber Security Company
3|Page
Veteran Owned
Offensive & Defensive PENETRATION TESTING POLICY
Cyber Security Company
Network Testing
Network penetration testing is to identify any exposed vulnerabilities and
security weaknesses in <Company Names>'s network infrastructure that
includes but is not limited to servers, firewalls, switches, routers, printers,
workstations, security appliances, peripherals, and any software applications,
services, or APIs within <Company Names>'s network environment. Both
internal and external activities shall be performed as separate engagements.
Additionally, network penetration testing activities may include credentialed
and non-credentialed testing activities to provide increased protection against
attacks that may happen from sensitive internal network positions.
The high-level goals of network penetration testing should include testing all
potential MITRE CVE vulnerabilities and attempting to evaluate the
resilience against known attacker TTP included in the MITRE ATT&CK
framework.
4|Page
Veteran Owned
Offensive & Defensive PENETRATION TESTING POLICY
Cyber Security Company
Wireless testing
Wireless penetration tests seek to assess <Company Names>'s wireless
network security for all of the CIA Triad components. Targets should include
any workstations, laptops, tablets, smartphones, and printers, as well as any
other peripherals and IoT devices. Testing activities should also
comprehensively include all wireless protocols used by <Company Names>'s
infrastructure.
Wireless penetration testing should verify that wireless access points (AP) are
segmented with respect to guest wireless networks and internal corporate
wireless networks. This includes testing that <Company Names>'s wireless
access points appropriately restrict access to <Company Names>'s corporate
wireless networks and that no information about <Company Names>'s
internal network can be accessed by attackers.
Other high-level goals of wireless penetration testing are to ensure that all
data passing over the wireless channels is protected from discovery by an
attacker, that wireless networks are reliable and available, and that data
passing over the wireless network cannot be modified by an attacker.
Social Engineering
Social engineering penetration testing is to increase security assurances to
<Company Names>'s to business operations by testing personnel resilience to
social engineering attacks and providing user awareness training where
weaknesses are uncovered.
5|Page
Veteran Owned
Offensive & Defensive PENETRATION TESTING POLICY
Cyber Security Company
Social engineering penetration testing should include both technical and non-
technical attempts to persuade or trick <Company Names>'s staff into
performing actions that may reveal sensitive information. This should include
both directly providing the sensitive information to an attacker, or performing
actions that may result in giving an attacker access to sensitive information
such as executing files provided by an attacker.
Physical Testing
Physical penetration testing seeks to gain access to restricted physical
locations within <Company Names>'s buildings, critical IT infrastructure,
systems, data, or employees. The primary benefit of a physical penetration
test is to expose weaknesses and vulnerabilities in physical controls including
but not limited to locks, elevators, barriers, surveillance cameras or systems,
and access control technologies such as access card readers and biometric
scanners.
6|Page
Veteran Owned
Offensive & Defensive PENETRATION TESTING POLICY
Cyber Security Company
Both internal and external testing will be performed in order to achieve the
most comprehensive visibility into <Company Names> network security
resilience.
Internal security testing is conducted from within the security perimeter and
is meant to simulate a cyber-attack by a trusted insider or an attacker who has
gained initial access to <Company Names>'s network. The high-level goal of
internal security testing is to verify that a "defense in depth" approach is
effectively protecting <Company Names>'s assets, systems, and data at all
positions and layers within the network.
7|Page
Veteran Owned
Offensive & Defensive PENETRATION TESTING POLICY
Cyber Security Company
The rest of this section defines the individual responsibilities for each specific
stakeholder role.
CEO/CISO
The CEO and/or CISO is responsible for the overall governance of
{Company Name}'s penetration testing program. This includes setting high-
level goals and requirements and approving documents that grant the explicit
permission for each pen testing engagement and outlines the expectations and
limitations of each engagement. Under the direction of the CEO and/or CISO
specific target goals will be set including any compliance standard
requirements that must be met by the penetration testing program's activities.
8|Page
Veteran Owned
Offensive & Defensive PENETRATION TESTING POLICY
Cyber Security Company
10 | P a g e
Veteran Owned
Offensive & Defensive PENETRATION TESTING POLICY
Cyber Security Company
11 | P a g e
Veteran Owned
Offensive & Defensive PENETRATION TESTING POLICY
Cyber Security Company
Backup Strategy
Adequate backups and fail-over systems must be in place before a pen testing
engagement begins. It is critical that the existence of these recovery systems
is confirmed by the System Owner/Department Lead and acknowledged by
the Pen testing Lead Manager before testing begins. It's also critical that the
System Owner/Department Lead has enough personnel available during
testing activity to make a full recovery of the target systems from backup in
the event of an adverse security incident.
If an incident causes a negative impact on the target systems the full recovery
of systems according to the mean time to recovery (MTTR), recovery point
objective (RPO), and recovery time objective (RTO) specified in each
{Company Name} department's data security policy must be possible.
12 | P a g e
Veteran Owned
Offensive & Defensive PENETRATION TESTING POLICY
Cyber Security Company
Communication Paths
During each pen testing engagement, it's important to ensure all parties
involved are aware of {Company Name}'s pen testing communication
policies. This protects the security of <>'s business operations during the pen
testing process and supports the secure, reliable, effective, and efficient
management of a pen testing engagement.
● Pen testing Lead Manager must have close communication with all
assigned Pen testing Team Members throughout a pen testing
engagement.
● All information including reports and emergency incident alerts
communicated between the Pen testing Team Members and the System
Owner/Department Lead should go through the Pen testing Lead
Manager.
● Pen testing Team Members and Pen testing Lead Manager must have a
direct line of contact during all penetration testing activities to enable
an immediate response to potential critical security incidents,
unexpected discoveries.
● In the case that a vulnerability is discovered with an actual or estimated
CVSS score of 8.5 or higher, that information should be provided
13 | P a g e
Veteran Owned
Offensive & Defensive PENETRATION TESTING POLICY
Cyber Security Company
The scope of each engagement must also not fall outside of the bounds of any
applicable national or regional regulations or {Company Name}'s contractual
obligations. The scope should be developed into a formal RoE document by
14 | P a g e
Veteran Owned
Offensive & Defensive PENETRATION TESTING POLICY
Cyber Security Company
the Pen testing Lead Manager and approved by the CEO/CISO prior to the
start of the engagement.
15 | P a g e
Veteran Owned
Offensive & Defensive PENETRATION TESTING POLICY
Cyber Security Company
Rules of Engagement
An RoE document for each pen testing engagement must be developed by the
Pen testing Team Lead and submitted for approval by the CEO and/or CISO
prior to the start of any penetration testing activity.
For some engagements, regular meetings may also be scheduled between the
System Owner/Department Lead and the Pentesting Team Lead and between
the Pentesting team members and the Pentesting Team Lead to review
16 | P a g e
Veteran Owned
Offensive & Defensive PENETRATION TESTING POLICY
Cyber Security Company
engagement status reports issued by the testing team. These meetings can
relay what vulnerabilities have been found up to that point and estimate the
engagement completion time. The Owner/Department Lead can also relay
whether IT security detection systems have issued any alerts resulting from
the pentesting activities.
If sensitive information about the company, the system, and/or its users is
discovered during the engagement, sensitive data handling procedures must
be followed which should be formally documented in the RoE. These special
procedures should include proper storage and communication measures that
should be taken (for example, full disk encryption on the
testers’ computers, and encrypting reports if they are sent by email). Any
applicable regulatory laws, data privacy laws, and formal contractual
requirements may dictate that only authorized personnel view sensitive data.
● Ensure that fail-over servers are online and functioning normally prior
to the start of testing activities.
● Monitor the availability of production systems during the penetration
testing activities.
● Stop testing immediately and notify the Pen testing Lead Manager and
System Owner/Department Lead immediately if unauthorized access is
achieved on production systems.
● Stop testing immediately and notify the Pen testing Lead Manager and
System Owner/Department Lead immediately if a previously unknown
vulnerability on a production system with a CVSS V3 criticality rating
above 7.0 (level high or critical) is discovered.
17 | P a g e
Veteran Owned
Offensive & Defensive PENETRATION TESTING POLICY
Cyber Security Company
Each pen testing engagement involves a testing process with four primary
phases. These primary phases are described in the sections below.
Information Gathering
The information gathering phase is intended to facilitate the discovery and
recording of potentially exploitable vulnerabilities. Information gathering is
critical to mapping the target system's attack surface.
18 | P a g e
Veteran Owned
Offensive & Defensive PENETRATION TESTING POLICY
Cyber Security Company
During the information gathering phase, Pen testing Team Members must
maintain documentation of all information collected as a record and
accounting of the specific actions taken during the test for use in subsequent
stages of the engagement and in the final report.
Information gathering activities should include but are not strictly limited to:
Exploitation
The exploitation phase is intended to determine whether vulnerabilities can
be exploited in order to gain unauthorized access to systems and/or data. This
phase depends on the information collected during the vulnerability discovery
phase. During the exploitation phase, it is especially important to closely
19 | P a g e
Veteran Owned
Offensive & Defensive PENETRATION TESTING POLICY
Cyber Security Company
consider the established RoE and only perform activities that conform with
the specifications outlined in that document.
During the exploitation phase, the Pen testing Team Lead and the Pen testing
Team Members must maintain documentation of all information collected as
a record and accounting of the specific actions taken during
the test for use in subsequent stages of the engagement and in the final report.
The System Owner/Department Lead should have access to all
documentation during the pen testing process but are not authorized to
remediate any of the discovered vulnerabilities until after the engagement
window ends unless the engagement RoE has defined special circumstances.
Exploitation activities should include, but are not strictly limited to:
20 | P a g e
Veteran Owned
Offensive & Defensive PENETRATION TESTING POLICY
Cyber Security Company
○ Internal/shared configurations
○ Unauthorized access to sensitive documents
The Pen testing Team lead should deliver each engagement's documentation
and final report to the Owner/Department Lead and the CEO and/or CISO in
a timely manner after the pen testing engagement activities have been
completed.
21 | P a g e