Sales
- We have agreed to use Foundstone, what are the first steps?
- How soon should the kick-off happen?
- Is it possible to revise the scope of work? If so how?
Kick-off
- Who should be on the kick-off call and who should I tell about this work?
- Who actually does the work and how does Foundstone manage its projects?
- How can I contact Foundstone for any questions or concerns?
- Can I request specific consultants for this work?
- What information does Foundstone need to begin the testing?
- Will Foundstone be able to address any specific concerns that we might have?
Execution
- How much visibility do we have in the assessment process?
- What happens if my infrastructure is not ready or doesn’t work on the test date?
- What time of day will the testing be conducted?
- If Foundstone gains access, will attempts be made to leverage that access to compromise other systems?
- How long after the assessment will I see the results?
- What constitutes the final deliverable?
- What can I expect to see in the report?
- Will I have a chance to review the report before it is finalized?
- Will Foundstone retest the issues that are identified during the assessment once they are resolved?
- What measures does Foundstone take to ensure the security of our information?
- Should we expect any downtime during testing?
- Will any intrusive testing be performed?
- Do I have to stop updates to the application while Foundstone is performing the testing?
Close out
- What will mark the project close out?
- What if I have questions after the close out call?
- Who do I contact for follow on work?
Sales
Q: We have agreed to use Foundstone, what are the first steps?
A: We appreciate your business and are eager to get started; however there are some key things that we must ensure are done before testing can begin. First and foremost all legal paperwork must be completed before we can schedule a time to conduct the tests. Typically, the paperwork consists of a services agreement (terms and conditions), a statement of work (SOW), and possibly a PO, if one is required by your purchasing department.
Q: How soon should the kick-off happen?
A: Foundstone would like to do a kick-off call at least one week prior to the starting date of the engagement. That will provide you with enough time to arrange any logistical and technical details that may be needed for successful commencement of the assessment.
Q: Is it possible to revise the scope of work? If so how?
A: Yes. The scope can easily be revised simply by contacting your account manager. An addendum to the existing Statement of Work can be created.
Kick-off
Q: Who should be on the kick-off call and who should I tell about this work?
A: Exactly who needs to be on the kick-off call and who you need to tell will depend on the overall objectives of the test and how we conduct the actual test. Some customers ask us to see if their operational team is alerted while we are assessing their network, others want to gain assurance that pre-production systems are secure before deployment, and others want a test of their production environment. In general we recommend that you are verbose in who you inform about the work as early as possible. Getting general agreement early will prevent unexpected objections close to the testing dates that may cause delays. We recommend you consider notifying the following:
- The primary project point of contact or project manager
- A network operations representative
- An application development representative, if this assessment involves application testing
- An information security representative
- A system owner representative
- An audit team member, if this project is an audit requirement
- The hosting organization, if the target network and/or application is hosted by a third party
Q: Who actually does the work and how does Foundstone manage its projects?
A: All technical testing work is conducted by Foundstone security consultants. All employees are full-time, bonded, and background checked. We do not use contractors.
Each engagement has a project team. You may not interact with all members of the team, but each member plays a vital role in the success of your engagement. Some of the typical roles may include:
- Technical consultants are responsible for the day to day testing work. They do the heavy lifting!
- The project manager is responsible for the engagement management of your project and should be your primary point of contact. Each project is assigned a project manager who is responsible for the kick-off call, daily updates and the deliverables. Your project manager will work with you to resolve any issues you have.
- Project managers report to regional directors who are responsible for quality assurance and will approve all final reports. Directors provide an escalation point within Foundstone if problems cannot be solved by the project manager.
Q: How can I contact Foundstone for any questions or concerns?
A: The Foundstone team will provide detailed contact information for all the team members involved with this assessment. For most cases the project manager will be able to help you with all your questions, but you will also receive contact information for the regional director and account manager if any issues need to be escalated. This contact information is sent with the pre-engagement checklist.
Q: Can I request specific consultants for this work?
A: If there are specific consultants you would like to work with please let us know as soon as possible. If the consultant has not been previously committed, we will work on your request. Be assured though, that we are as committed to the success of your project as you are, so we will always staff the project with the appropriate consultants to accomplish the goals of the project. Further, a key part of Foundstone’s success is the use of proven methodologies that allow us to provide consistent results from any of our consultants.
Q: What information does Foundstone need to begin the testing?
A: We generally need two types of information from you, logistical and technical.
Logistical — We will complete a pre-engagement checklist at the kick-off meeting that we will maintain. This includes contact details, travel arrangements, escalation procedures and other information.
Technical - the exact needs may vary based on the type assessment, but typically this includes target IP addresses, written policies, etc. The Foundstone Project Manager will provide a detailed list of the requirements prior to the kick-off meeting.
Q: Will Foundstone be able to address any specific concerns that we might have?
A: Absolutely! If there are any areas of assessment that you are particularly interested in please let the project manager know and we will do our best to address those concerns for you. This is the first question that the Foundstone Project Manager will ask at the kick-off meeting.
Execution
Q: How much visibility do we have in the assessment process?
A: During the kick-off meeting, the project manager will explain in detail the various steps involved in the assessment process. Also, the daily updates will include details on the activities performed on that day and the activities planned for the next day. At the end of the project, the technical report provides details on the methodology used to perform the engagement. If you need more details, or if you would like to “shoulder surf” during parts of the project, please let the project manager know before or during the kick-off meeting. We are happy to work with you to meet your requests, and questions are always welcome.
Q: What happens if my infrastructure is not ready or doesn’t work on the test date?
A: When we schedule an engagement, we work with you to help you understand the requirements for engagement success. This includes the technical and logistical items listed above. If these items are not available or the system is not working on the day the testing begins we are generally not able to proceed. You should check your terms and conditions, but in general, this will incur a penalty cost and your engagement will be resubmitted to scheduling and may be delayed. It is your responsibility to ensure that the items requested in the pre-engagement checklist are completed or Foundstone will not schedule your project to begin.
Q: What time of day will the testing be conducted?
A: Typically we perform a majority of the testing during normal North American business hours. This allows us to contact you immediately if any high risk issues are identified. We do use some automated scanning tools that take a while to run, so those are often run overnight. We have the ability to access any of our assessment servers remotely, so we can immediately stop a scan if necessary. We also have the ability to schedule many of our scanning tools to run only within certain time windows if necessary. We can adjust the timing as necessary, but please keep in mind that overly restrictive time windows will limit the results we are able to provide within the assessment period. If your testing will require work outside of normal North American business hours you should notify the engagement manager as soon as possible and prior to the kick-off call.
Q: If Foundstone gains access, will attempts be made to leverage that access to compromise other systems?
A: If we gain access to a system, we stop that line of testing and take a screenshot to illustrate the level of access we obtained. We provide that information to you and work with you to determine if you would like for us to pursue that testing to further clarify the risk posed to your organization.
Q: How long after the assessment will I see the results?
A: We provide daily updates throughout the assessment period with a preliminary findings document that details the issues that have been identified to date. These findings are in the same format that they will be provided in the technical section of our report, so you will see the results, almost exactly as they will be delivered in the final report. Additionally, if any high risk issues are found that would allow an attacker to gain unauthorized access to a system or to sensitive data; these results will be provided immediately without waiting until the next daily update. After the conclusion of the testing, we typically provide a draft report within seven days or less.
Q: What constitutes the final deliverable?
A: The standard final deliverable is a CD containing the technical report, which includes an executive summary, and any raw data collected during the project. Check your SOW for any additional deliverables such as a technical presentation, an executive presentation, or a certification statement.
Q: What can I expect to see in the report?
A: The technical report provides details on the assessment, including the scope of the assessment, the positive aspects identified during the assessment, the vulnerabilities identified, tactical and strategic recommendation to help remediate the vulnerabilities, detailed notes collected during the engagement, and the methodology followed to perform the assessment.
The executive summary contains a high level view of the project, including a short statement of the project scope, an overview of the findings, a set of strategic recommendations, and a security report card for the assessed areas.
If you have additional requirements for the reports, please let your project manager know before or during the kickoff meeting. We can accommodate most requests if they are made before we begin the assessment.
Q: Will I have a chance to review the report before it is finalized?
A: Yes, we provide all reports in draft format (in Microsoft Word) and ask for your feedback within five working days so that we may make any requested modifications before finalizing the report and sending you a printed copy with the CD via FedEX. If we do not have comments from you at the end of the five working days, we will confirm with you that you do not have any feedback and we will finalize the draft. We are usually only able to make one set of changes to the report, so it is essential that you provide us with all of your feedback and detailed comments at one time in writing so we can address all of your feedback.
Q: Will Foundstone retest the issues that are identified during the assessment once they are resolved?
A: If you would like to include retesting, we recommend you contact your account manager to add it to the statement of work to ensure appropriate resources will be available.
Q: What measures does Foundstone take to ensure the security of our information?
A: All client information is PGP encrypted while it is stored on laptops during an engagement. Also, all email communication with you containing findings or other sensitive information is encrypted. The vulnerabilities are discussed only with the members of your staff that you designate. After an engagement is completed, the laptops are cleaned of any client information using PGP wipe utilities, and the final reports are centrally archived.
Q: Should we expect any downtime during testing?
A: Foundstone takes extensive measures to ensure that the assessment does not result in any downtime. Downtime related to a Foundstone assessment has been extremely rare, but the possibility cannot be completely ruled out. Please convey to the project manager any assets that have high availability requirements and Foundstone consultants will use due care. These assets should be noted in the pre-engagement checklist.
Q: Will any intrusive testing be performed?
A: We do not run any automated tools, exploits, or scripts that are known to cause a denial of service either as the main goal of the exploit or as a side effect. Most of our application assessments are performed using manual processes, and all of our automated scans are run in a non-intrusive mode. There is a minimal risk that non-intrusive scans will cause issues for some legacy network devices.
Q: Do I have to stop updates to the application while Foundstone is performing the testing?
A: To perform a thorough comprehensive testing it is important that Foundstone is provided access to a stable testing environment. This will increase productivity and avoid any unexpected delays. We discourage you from performing any changes to the application while testing is in progress.
Note: This is specific only to our Software and Application Services.
Close out
Q: What will mark the project close out?
A: Once the final technical report and executive summary have been accepted, it marks the end of the project assessment. Foundstone will conduct a close out meeting to provide details on the findings and recommendations and will address any outstanding concerns that you may have. Foundstone will then request a signed engagement activity report (EAR) and feedback form.
Q: What if I have questions after the close out call?
A: We encourage our clients to contact us with any follow up questions that they might have. Someone from the Foundstone team will get back to you as soon as possible.
Q: Who do I contact for follow on work?
A: Please contact the account manager or project manager for all follow up work requests and proposals. Their contact information is provided in the pre-engagement checklist.
