Services
      Back to home
      1. Secure Ideas Help Center
      2. Services

      What is your engagement process?

      This article describes the main steps in the process for engaging Secure Ideas for penetration testing and consulting services.

      Engaging any company in penetration testing necessitates quite a bit of contract language. The good news is that we at Secure Ideas have a lot of experience in this area and are regularly tweaking our process to keep it as quick and straightforward as possible.

      This article will walk you through the main steps in our process, as follows:

       

      Engagement Process

      Scoping

      The scoping step usually takes the form of a phone call or web meeting between you and a senior Secure Ideas consultant. The consultant will ask scope-related questions about the engagement during this call to estimate the total effort. We have many years of experience estimating the effort of penetration tests and other types of security assessments and consequently have become very accurate. Our penetration testing and consulting engagements usually are time-boxed, so this estimated effort can be translated directly into a fixed bid for the work.

      Contract

      The next step in our engagement process is building, reviewing, and signing a contract. Besides, penetration testing without a contract is a crime, so this step is a legal requirement for every penetration test engagement.

      There usually are two contracts in place for an engagement:

      1. Master Service Agreement (MSA): This contract establishes the rules under which Secure Ideas and your company agree to do business. The MSA usually is only established once and applies across future work. To help expedite the process, our MSA also contains mutual non-disclosure agreement (MNDA) language. 
      2. Statement of Work (SoW): This contract formalizes both parties' scope, cost, and expectations for a specific engagement. The SoW is dependent on the MSA. Some smaller engagements, such as one-off training classes, may use a shorter Letter of Engagement (LoE) instead of an SoW.

      We will send both of these documents to you for review and, if necessary, redlines by your legal counsel. Once we have mutually agreed upon the documents, we will send them to you for digital signature and counter-signature.

      Scheduling

      Upon signature, we can finalize the schedule for the engagement. We don't finalize the schedule before a signed contract because it is difficult for us to predict how long your contracting or supplier onboarding process will take. We try to keep enough of a bench to book work on average about six weeks out, but this varies depending on the time of year.

      Kick-Off

      Once the schedule is set for the engagement, we will also schedule a kick-off call between you and the consultants assigned to your engagement. This call will be scheduled for a date about two weeks before the start of the engagement activity and will cover topics such as:

      • Introduction of team members
      • Review of scope and timing of work
      • Review of phases, milestones, and rules of engagement
      • Items to be provided by you and Secure Ideas (IP ranges, URLs,  test user accounts, etc...)
      • Contact information for both sides
      • Planning for ongoing status meetings (frequency, method, participants, etc.)
      • Procedures and contacts for emergencies

      Execution

      The engagement window varies depending on the type of work and the amount of effort scoped. Most penetration test engagements are completed within one-to-two calendar weeks.

      Report

      The report is the primary deliverable for most engagements and is a step we take very seriously. We may start working on the report during the engagement but will generally be drafted two-to-five business days after the end of the active engagement period.

      The report then goes through our rigorous review process, where at least two other Secure Ideas consultants read through and critique the report for accuracy and proper rating of findings. This process helps us maintain a consistently high quality in our deliverables. It is important to us that your report be clear and actionable and that, to the best of our knowledge, it accurately reflects the risk to your business.

      Once the review is complete, we will deliver the report to you with the label draft. You then have the opportunity to provide feedback over the following two weeks.

      Finalization

      Once the review period is complete, we will discuss and incorporate the feedback you have provided and issue a final version of the report. We will also perform any final steps you have requested, such as issuing a letter of attestation or scheduling a final presentation of the findings.