Defining objectives with stakeholder questionnaires

This section goes over the various questions that I have used, and That I think are important for this type of engagement. These will help define clear and measurable objectives for the penetration tester.

Let's have a look at a questionnaire to determine the engagement criteria:

• What is the objective of this penetration test?
• What will be the deliverables required at the end of the penetration test?
• What is the length of the penetration test, and is there any period of time when the penetration test cannot happen? (For example, the customer may have a busy period during the day when they don't want anything to interrupt their business processes)
• During the penetration test, does the penetration test stop at finding vulnerabilities, or does it proceed to actively try to exploit these vulnerabilities? (This question is important because the stakeholder may not want systems to be taken down or potential data modified/deleted, so we want to make sure we know the boundaries) If exploiting systems is acceptable, do you want the penetration tester to try lateral movement within the environment after that?
• Will this be an internal penetration test, an external penetration test, or both?
• Who are the contacts within the company?
• Are there any compliance standards that the company needs to follow?