Penetration Test Program Assessment

 

Our Penetration Test Program Assessment evaluates program activities and documentation to identify areas for improvement.

The foundation of the assessment is ‘NIST SP 800-115, Technical Guide to Information Security Testing and Assessment’. Remaining practices have been developed by Gideon Rasmussen based on 20+ years of cybersecurity experience within corporate and military organizations.

Areas of focus include:

  • Cyber Threat Intelligence
    		•
  • Escalations
    		•
  • Metrics and Trending
    		•
  • Onboarding and Training
    		•
  • Penetration Test Reports
    		•
  • Policies and Standards
    		•
  • Process and Procedures
    		•
  • Quality Assurance
    		•
  • Remediation Tracking
    		•
  • Risk Model
    		•
  • Root Cause Analysis
    		•
  • Scope and Coverage
    		•
  • Sharing Best Practices
    		•
  • Talent Retention
    		•
  • Testing Tools and Techniques
    		•
  • Testing Within Agile
    		•
  • Threat Modeling
    		•
  • Web Applications and Infrastructure
    		•
Assessment activities consist of: [1] observation of controls, [2] documentation and artifact review and [3] interviews of the Program Manager and the Pen Testers. The assessment is conducted by phone and screen share.

Deliverables include an assessment report and a slide deck presented to executive leadership.

Fees and Payment

The assessment is billed at a flat rate. The engagement begins once the Statement of Work and Contract are signed and upon receipt of the first of three equal payments.

Phase Milestone Amount
1 SOW and Contract Execution 1/3 payment
2 First Assessment Interview 1/3 payment
3 Delivery of Draft Report 1/3 payment

Next Steps

Each engagement can be customized to meet the needs of the client. The first step in the process is to have a conference call to discuss requirements.

Recommendation

"Our company engaged Gideon to perform an assessment of our penetration testing program to identify any areas of deficiency or room for improvement. Gideon performed an excellent review of our processes and procedures and offered educated and strategic recommendations to assist in improving an already mature environment. Based on his years of experience and insight, he's able to assess an environment from a security perspective and offer guidance for perfecting programs and taking them to the next level. He's more than capable of looking at the big picture while also understanding the unique components that make up each aspect of a sound security program and make recommendations for perfecting underlying processes."

Assessment Options

Custom assessments may be conducted based on the needs of the client. Here are examples:

Assessments
Application Security Vendors and Service Providers Cybersecurity Program Ransomware
Business Process Risk Incident Response Line of Business Risk FMEA Process Risk
Security Operations Center (SOC) Fraud Prevention Insider Threat Security Awareness Program
Mergers and Acquisitions Infrastructure Security Zero Trust Security Model Threat Landscape and Controls
Cyber Exercise Program Penetration Test Program Cybersecurity Function Agile Security Testing

This service offering description provides an overview for informational purposes only. The Statement of Work and the Master Services Agreement are the official documents for each assessment engagement.