The time cost is apparent, but you decide it’s worth the time to put the engagement on hold for one more meeting to iron out some of the specifics for the scope document.
You take the lead in the meeting and bring up some of the concerns about the scoping document.
“We’re more than happy to carry out the engagement as planned. That having been said, we want to make sure that we are in complete agreement on what’s allowed and what’s not during the engagement. We want to make sure we’re being as responsible as possible with your assets.”
You go over specific items to clarify with RisottoCorp’s IT lead and they clarify a few things.
“We have an experimental data ingestion pipeline that uses Apache Spark and it seems like the leadership is concerned about keeping that online. I don’t think anything bad would happen, but let’s keep that out of scope for this engagement”, they say.
Additionally, you verify IP addresses and DNS records and now have a consolidated list for targets.
The second draft of the scope document is signed and returned to the team:
This looks much better! Your team agrees that it’s now a lot more clear as to what is allowed and not allowed.
What do you do?