31 Mar Penetration Testing Engagement Plan

Penetration tests are attempts to evaluate the security of an IT infrastructure by safely trying to exploit operating system vulnerabilities, service and application flaws, improper configurations, or risky end-user behaviors. These assessments have become common across various industries, as they are useful in validating the efficacy of defensive mechanisms and end-user adherence to security policies.

Instead of approaching cybersecurity from the perspective of a defensive tactical team, this assessment will require you to assume the role as a member of an offensive cybersecurity team.

In this task, you will be given a penetration testing engagement plan that you will evaluate based on the business goals and industry best practices and guidance. You will also propose solutions to the gaps in the plan.

Scenario

Western View Hospital is a 100-bed facility that has been serving the residents of a rural community for over 80 years. The administration recently completed an expansive modernization of the medical and patient records system in an attempt to provide better care for members of the community.

Before the new system can go live, the hospital administration has authorized your firm, Pruhart Tech, to test it for potential vulnerabilities and to ensure the IT infrastructure can secure sensitive patient medical and financial data according to HIPAA compliance requirements. A senior manager at Pruhart Tech has asked a member of your team to develop a penetration testing engagement plan for Western View Hospital that is in alignment with their goals and follows industry best practices. To ensure the penetration testing plan is appropriate for the hospital before it is put into action, your manager has asked you to evaluate the testing plan, provide recommendations for improvements, and propose solutions to any problems you identify.

Write an evaluation of the attached “Penetration Testing Engagement Plan” by doing the following:

A. Evaluate the alignment between Western View Hospital’s goals, objectives, functions, processes, and practices and the penetration testing plan by doing the following:

1. Describe each of the following:
• the client’s goals,
• the client’s objectives,
• the client’s functions,
• the client’s processes, and
• the client’s practices.

2. Describe the structure of the penetration testing engagement plan (e.g., scope, test type, approach, technique).

3. Identify potential misalignments between the penetration testing engagement plan and each of the following:
• the company’s goals,
• the company’s objectives,
• the company’s functions,
• the company’s processes, and
• the company’s practices.

B. Evaluate the penetration testing engagement plan by doing the following:

1. Identify best practices and frameworks for a penetration testing engagement plan designed to meet Western View Hospital’s requirements.

Note: You must identify two best practices and two compliance frameworks.

2. Compare the penetration testing engagement plan to the best practices and frameworks identified in part B1.

C. Propose potential improvements and solutions to problems identified in the penetration testing engagement plan by doing the following:

1. Give two specific recommendations for improvements to the penetration testing engagement plan.

2. Give two specific examples of solutions to problems you identified in the penetration testing engagement plan.

Note: Problems can include misalignments between the plan and the client’s goals, inappropriately applied frameworks, or failure to use industry best practices.

D. Acknowledge sources, using in-text citations and references, for content that is quoted, paraphrased, or summarized.

E. Demonstrate professional communication in the content and presentation of your submission.

The submission provides a description of the client’s goals, objectives, functions, processes, and practices that is accurate with sufficient detail.

The submission provides a description of the penetration testing engagement plan structure that is accurate with sufficient detail.

The submission identifies misalignments between the client’s goals, objectives, functions, processes, and practices and the penetration testing engagement plan that are factually accurate with sufficient detail.

The submission identifies industry best practices and frameworks for a penetration testing engagement plan that are appropriate for the client’s requirements.

The submission provides a comparison of the penetration testing engagement plan to the industry best practices and frameworks identified in part B1 and is supported with specific examples and essential details.

The submission provides 2 improvements to the penetration testing engagement plan that are logical and are supported with specific examples and essential details.

The submission provides 2 solutions to problems in the penetration testing engagement plan that are logical and are supported with specific examples and essential details.

The submission includes in-text citations for sources that are properly quoted, paraphrased, or summarized and a reference list that accurately identifies the author, date, title, and source location as available.

This submission includes satisfactory use of grammar, sentence fluency, contextual spelling, and punctuation, which promote accurate interpretation and understanding.