Scoping Questionnaire Template

๐Ÿ“‹ What is Scoping Questionnaire?

Scoping Questionnaire is a comprehensive information-gathering tool used to understand the client’s environment, requirements, and expectations before conducting a penetration test. It helps define the scope, identify potential risks, and establish clear project boundaries.

Purpose of Scoping Questionnaire

  • Environment Understanding: Gather detailed information about the target environment
  • Scope Definition: Clearly define what will and won’t be tested
  • Risk Assessment: Identify potential risks and challenges
  • Resource Planning: Determine required resources and timeline
  • Expectation Management: Align client expectations with deliverables
  • Compliance Requirements: Identify regulatory and compliance needs

Key Components

  • Organization Information: Company details, industry, size
  • Technical Environment: Systems, networks, applications
  • Security Posture: Current security measures and controls
  • Business Context: Critical assets, business processes
  • Testing Requirements: Specific testing needs and objectives
  • Constraints: Limitations, restrictions, and special considerations
  • Timeline: Project schedule and milestones

When to Use

  • Before any penetration testing engagement
  • During initial project planning phase
  • When defining project scope and requirements
  • For complex or multi-faceted engagements
  • When working with new clients

๐Ÿ“„ Scoping Questionnaire Template

PENETRATION TESTING SCOPING QUESTIONNAIRE

Project Information:

  • Project Name: [PROJECT NAME]
  • Date: [DATE]
  • Prepared By: [CONSULTANT NAME]
  • Client Contact: [CLIENT CONTACT NAME]
  • Client Company: [CLIENT COMPANY NAME]

1. ORGANIZATION INFORMATION

1.1 Company Overview

  • Company Name: [COMPANY NAME]
  • Industry: [INDUSTRY TYPE]
  • Company Size: [NUMBER OF EMPLOYEES]
  • Annual Revenue: [REVENUE RANGE]
  • Headquarters Location: [LOCATION]
  • Primary Business: [BUSINESS DESCRIPTION]

1.2 Regulatory Compliance

  • Regulatory Requirements: [CHECK ALL THAT APPLY]

    • PCI DSS (Payment Card Industry)
    • HIPAA (Healthcare)
    • SOX (Sarbanes-Oxley)
    • GDPR (General Data Protection Regulation)
    • CCPA (California Consumer Privacy Act)
    • FISMA (Federal Information Security Management Act)
    • ISO 27001
    • Other: [SPECIFY]

  • Compliance Deadlines: [DEADLINES]

  • Previous Audit Results: [AUDIT RESULTS]

  • Compliance Officer Contact: [CONTACT INFORMATION]

1.3 Security Team

  • Chief Information Security Officer (CISO): [NAME AND CONTACT]
  • Security Team Size: [NUMBER OF MEMBERS]
  • Security Team Experience: [YEARS OF EXPERIENCE]
  • Previous Penetration Testing: [HISTORY]
  • Incident Response Team: [TEAM DETAILS]

2. TECHNICAL ENVIRONMENT

2.1 Network Infrastructure

  • Network Topology: [DESCRIPTION]
  • Number of Subnets: [NUMBER]
  • Network Segments: [SEGMENTS]
  • Firewall Configuration: [CONFIGURATION]
  • VPN Access: [VPN DETAILS]
  • Remote Access: [REMOTE ACCESS DETAILS]
  • Network Monitoring: [MONITORING TOOLS]

2.2 Systems and Servers

  • Operating Systems: [LIST ALL OS VERSIONS]
  • Server Count: [NUMBER OF SERVERS]
  • Server Types: [WEB, DATABASE, APPLICATION, ETC.]
  • Virtualization: [VMWARE, HYPER-V, ETC.]
  • Cloud Services: [AWS, AZURE, GCP, ETC.]
  • Containerization: [DOCKER, KUBERNETES, ETC.]

2.3 Applications

  • Web Applications: [NUMBER AND TYPES]
  • Mobile Applications: [NUMBER AND TYPES]
  • Desktop Applications: [NUMBER AND TYPES]
  • API Endpoints: [NUMBER AND TYPES]
  • Third-Party Applications: [LIST]
  • Custom Applications: [LIST]

2.4 Database Systems

  • Database Types: [MYSQL, POSTGRESQL, ORACLE, ETC.]
  • Database Count: [NUMBER]
  • Database Versions: [VERSIONS]
  • Database Access: [ACCESS METHODS]
  • Data Classification: [SENSITIVE DATA TYPES]

3. SECURITY POSTURE

3.1 Current Security Measures

  • Antivirus/Anti-malware: [SOLUTIONS]
  • Intrusion Detection/Prevention: [SOLUTIONS]
  • Security Information and Event Management (SIEM): [SOLUTION]
  • Data Loss Prevention (DLP): [SOLUTION]
  • Web Application Firewall (WAF): [SOLUTION]
  • Network Access Control (NAC): [SOLUTION]
  • Endpoint Detection and Response (EDR): [SOLUTION]

3.2 Access Controls

  • Authentication Methods: [METHODS]
  • Multi-Factor Authentication (MFA): [IMPLEMENTATION]
  • Single Sign-On (SSO): [IMPLEMENTATION]
  • Privileged Access Management (PAM): [IMPLEMENTATION]
  • Role-Based Access Control (RBAC): [IMPLEMENTATION]
  • Password Policies: [POLICIES]

3.3 Security Policies

  • Security Policy Existence: [YES/NO]
  • Policy Review Frequency: [FREQUENCY]
  • Employee Security Training: [TRAINING DETAILS]
  • Incident Response Plan: [PLAN DETAILS]
  • Business Continuity Plan: [PLAN DETAILS]
  • Disaster Recovery Plan: [PLAN DETAILS]

4. BUSINESS CONTEXT

4.1 Critical Assets

  • Critical Systems: [LIST]
  • Critical Data: [DATA TYPES]
  • Critical Applications: [APPLICATIONS]
  • Critical Infrastructure: [INFRASTRUCTURE]
  • Business-Critical Processes: [PROCESSES]

4.2 Business Impact

  • Maximum Acceptable Downtime: [TIME]
  • Peak Business Hours: [HOURS]
  • Critical Business Periods: [PERIODS]
  • Customer-Facing Systems: [SYSTEMS]
  • Revenue-Generating Systems: [SYSTEMS]

4.3 Risk Tolerance

  • Risk Appetite: [LOW/MEDIUM/HIGH]
  • Acceptable Risk Level: [LEVEL]
  • Risk Management Approach: [APPROACH]
  • Previous Security Incidents: [INCIDENTS]
  • Insurance Coverage: [COVERAGE DETAILS]

5. TESTING REQUIREMENTS

5.1 Testing Objectives

  • Primary Objectives: [OBJECTIVES]
  • Secondary Objectives: [OBJECTIVES]
  • Compliance Testing: [REQUIREMENTS]
  • Vulnerability Assessment: [REQUIREMENTS]
  • Social Engineering: [REQUIREMENTS]
  • Physical Security: [REQUIREMENTS]

5.2 Testing Scope

  • In-Scope Systems: [SYSTEMS]
  • Out-of-Scope Systems: [SYSTEMS]
  • Testing Methods: [METHODS]
  • Testing Tools: [TOOLS]
  • Testing Techniques: [TECHNIQUES]

5.3 Testing Constraints

  • Time Restrictions: [RESTRICTIONS]
  • System Availability: [AVAILABILITY]
  • Network Restrictions: [RESTRICTIONS]
  • Data Access Restrictions: [RESTRICTIONS]
  • Third-Party Dependencies: [DEPENDENCIES]

6. PROJECT DETAILS

6.1 Timeline

  • Project Start Date: [DATE]
  • Project End Date: [DATE]
  • Testing Window: [WINDOW]
  • Reporting Deadline: [DEADLINE]
  • Remediation Timeline: [TIMELINE]

6.2 Resources

  • Client Resources: [RESOURCES]
  • Testing Team Size: [SIZE]
  • Required Expertise: [EXPERTISE]
  • Equipment Requirements: [EQUIPMENT]
  • Access Requirements: [ACCESS]

6.3 Deliverables

  • Executive Summary: [REQUIRED]
  • Technical Report: [REQUIRED]
  • Remediation Guide: [REQUIRED]
  • Presentation: [REQUIRED]
  • Raw Data: [REQUIRED]
  • Follow-up Support: [REQUIRED]

7. SPECIAL CONSIDERATIONS

  • Legal Requirements: [REQUIREMENTS]
  • Regulatory Compliance: [COMPLIANCE]
  • Data Protection: [PROTECTION]
  • Privacy Requirements: [REQUIREMENTS]
  • Intellectual Property: [PROPERTY]

7.2 Technical Considerations

  • Legacy Systems: [SYSTEMS]
  • Custom Applications: [APPLICATIONS]
  • Third-Party Integrations: [INTEGRATIONS]
  • Cloud Services: [SERVICES]
  • Mobile Devices: [DEVICES]

7.3 Business Considerations

  • Stakeholder Communication: [COMMUNICATION]
  • Change Management: [MANAGEMENT]
  • Training Requirements: [REQUIREMENTS]
  • Documentation Requirements: [REQUIREMENTS]
  • Ongoing Support: [SUPPORT]

8. RISK ASSESSMENT

8.1 Identified Risks

  • Technical Risks: [RISKS]
  • Business Risks: [RISKS]
  • Compliance Risks: [RISKS]
  • Operational Risks: [RISKS]
  • Reputation Risks: [RISKS]

8.2 Risk Mitigation

  • Mitigation Strategies: [STRATEGIES]
  • Contingency Plans: [PLANS]
  • Communication Plans: [PLANS]
  • Escalation Procedures: [PROCEDURES]
  • Emergency Contacts: [CONTACTS]

9. SUCCESS CRITERIA

9.1 Testing Success

  • Vulnerability Discovery: [CRITERIA]
  • System Coverage: [CRITERIA]
  • Compliance Validation: [CRITERIA]
  • Risk Assessment: [CRITERIA]
  • Recommendation Quality: [CRITERIA]

9.2 Project Success

  • Timeline Adherence: [CRITERIA]
  • Budget Compliance: [CRITERIA]
  • Client Satisfaction: [CRITERIA]
  • Deliverable Quality: [CRITERIA]
  • Follow-up Support: [CRITERIA]

10. SIGN-OFF

10.1 Client Approval

  • Scope Approval: [APPROVED BY]
  • Timeline Approval: [APPROVED BY]
  • Resource Approval: [APPROVED BY]
  • Budget Approval: [APPROVED BY]
  • Final Approval: [APPROVED BY]

10.2 Signatures

Client Representative: Name: [NAME] Title: [TITLE] Signature: [SIGNATURE] Date: [DATE]

Testing Team Lead: Name: [NAME] Title: [TITLE] Signature: [SIGNATURE] Date: [DATE]

๐Ÿ“ Template Usage Instructions

Step 1: Information Gathering

  • Schedule interview with key stakeholders
  • Review existing documentation
  • Conduct technical discovery
  • Identify compliance requirements

Step 2: Questionnaire Completion

  • Fill out all relevant sections
  • Gather additional information as needed
  • Verify accuracy of information
  • Document any assumptions

Step 3: Review and Validation

  • Review with technical team
  • Validate with business stakeholders
  • Check for completeness
  • Identify any gaps

Step 4: Scope Definition

  • Define clear boundaries
  • Identify testing objectives
  • Establish success criteria
  • Document constraints

Step 5: Approval Process

  • Present to stakeholders
  • Address any concerns
  • Obtain formal approval
  • Document decisions

โš ๏ธ Important Considerations

Completeness

  • Comprehensive Coverage: Ensure all relevant areas are covered
  • Stakeholder Input: Include input from all relevant stakeholders
  • Technical Accuracy: Verify technical information accuracy
  • Business Context: Understand business impact and requirements

Clarity

  • Clear Language: Use clear, understandable language
  • Specific Details: Include specific, actionable information
  • Avoid Ambiguity: Eliminate ambiguous or unclear statements
  • Document Assumptions: Clearly document any assumptions

Practicality

  • Realistic Scope: Ensure scope is realistic and achievable
  • Resource Alignment: Align scope with available resources
  • Timeline Feasibility: Ensure timeline is realistic
  • Risk Management: Address potential risks and challenges

๐Ÿ”ง Customization Options

Industry-Specific Additions

  • Financial Services: Add financial data protection requirements
  • Healthcare: Include HIPAA compliance provisions
  • Government: Add security clearance requirements
  • Education: Include FERPA compliance provisions

Technology-Specific Sections

  • Cloud Services: Add cloud-specific questions
  • Mobile Applications: Include mobile security considerations
  • IoT Devices: Add IoT security questions
  • AI/ML Systems: Include AI security considerations

Compliance-Specific Requirements

  • PCI DSS: Add payment card industry requirements
  • GDPR: Include European data protection requirements
  • SOX: Add financial reporting requirements
  • HIPAA: Include healthcare privacy requirements

๐Ÿ“Š Checklist for Scoping Questionnaire

Pre-Interview Checklist

  • Stakeholder list prepared
  • Technical documentation reviewed
  • Compliance requirements identified
  • Interview questions prepared
  • Meeting scheduled
  • Recording permissions obtained

During Interview Checklist

  • All sections covered
  • Technical details verified
  • Business context understood
  • Constraints identified
  • Questions answered
  • Follow-up items noted

Post-Interview Checklist

  • Information documented
  • Gaps identified
  • Assumptions documented
  • Scope defined
  • Timeline established
  • Resources allocated
  • Approval obtained

This template is provided for informational purposes only and should be customized based on the specific requirements of each engagement. The questionnaire should be reviewed and updated regularly to ensure it remains relevant and comprehensive.