While the new scope document looks much better, you identified a notable omission. The scope document does not have any of the applicable regulations and laws for RisottoCorp’s data. Your team lead had a few requests for information due out to the RisottoCorp staff, but never received word back.
Additionally, there is no guidance about mandatory reporting of fraudulent, illegal, or prior compromise activity. If the red team were to identify evidence of some kind of crime, there is no wording in the current document that would guide how to handle the situation.
You opt for another round of scope clarification. This time, for expediency’s sake, you send an email. The IT team responds:
SecureEnt team, Well, no one can say your team isn’t thorough! It reflects positively on you all that you’re willing to try to clarify scope as much as you do. I apologize for not getting back to you about our specific data regulations. I’ve included that in the comments in the attachment and that should give you enough guidance to complete the document. As for illegal activity, I’ve also included a passage from our legal team. Any evidence of crime, prior compromise, or the like should be reported to me and the legal team immediately. The SecureEnt team will not be held responsible in that event as long as there is immediate, good-faith reporting of the incident. I think that should be everything! Thanks again for helping us clarify. - IT Lead
The final scope document is released to the team and it looks comprehensive.
The entire team now feels comfortable enough to begin the assessment. We’ll start with scanning and enumeration!