Before we commence with testing, there are requirements that must be taken into consideration. You will need to determine the proper scoping of the test, timeframes, and restrictions, the type of testing (white box, black box), and how to deal with third-party equipment and IP space.
Before you can accurately determine the scope of the test, you will need to gather as much information as possible. It is critical that the following points are fully understood prior to starting the testing procedures:
Who has the authority to authorize testing?
What is the purpose of the test?
What is the proposed timeframe for the testing? Are there any restrictions as to when the testing can be performed?
Does your customer understand the difference between a vulnerability assessment and a penetration test?
Will you be conducting this test with, or without the cooperation of the IT security operations team? Are you testing their effectiveness?
Is social engineering permitted...