Good communication is essential for the success of the penetration test. Not only must the pen test team be able to communicate amongst themselves and with their lead, but the team lead must also be able to communicate with the designated client contact. Having an escalation path for communications protects individual pen testers from having to make risky or potentially damaging decisions on their own. You also want to make sure that communications follow a chain of command, and that team members report and escalate issues only to authorized individuals. Use these best practices when establishing an escalation path for communications:
- Establish a clear chain of command in the pen test team. Make sure that communications follow that path.
- Make sure that the pen test team project supervisor has a counterpart on the client side that they can immediately bring issues to.
- Ensure that there is always a supervisor on duty, including a fail-safe operator, for team members to contact.
Agree upon thresholds and protocols for contacting the other side during a problem, including:
- When/how the client will notify the pen test team that a test is unacceptably interfering with operations/system performance.
- When/how the pen test team will involve the client IT department if an accident occurs or a system becomes destabilized or unresponsive.
Train all team members to:
- Check in regularly with their lead, especially when starting and finishing a task.
- Check in with their lead if they encounter anything unusual or outside the scope of their task.
- Not make any decisions outside the scope of their task without authorization from their lead.
- Alert their lead immediately if a problem arises.