Rules of Engagement (RoE) Template

📋 What is Rules of Engagement?

Rules of Engagement (RoE) is a critical document that defines the specific rules, limitations, and guidelines that govern how a penetration test will be conducted. It establishes the boundaries of acceptable testing activities and ensures both the testing team and client understand what is and isn’t allowed during the engagement.

Purpose of Rules of Engagement

  • Clear Boundaries: Define exactly what testing activities are permitted
  • Risk Mitigation: Minimize risks to business operations and systems
  • Legal Protection: Provide legal framework for testing activities
  • Expectation Management: Ensure all parties understand testing limitations
  • Safety Guidelines: Protect both testing team and client systems
  • Compliance: Ensure testing meets regulatory and industry requirements

Key Components

  • Testing Scope: What systems and activities are included
  • Prohibited Activities: What activities are not allowed
  • Time Restrictions: When testing can and cannot occur
  • Data Handling: How sensitive data should be handled
  • Communication: How and when to communicate during testing
  • Emergency Procedures: What to do in case of problems
  • Escalation: When and how to escalate issues

When to Use

  • Before starting any penetration testing engagement
  • When defining testing boundaries and limitations
  • For complex or high-risk engagements
  • When working with critical systems
  • For compliance-driven testing requirements

📄 Rules of Engagement Template

RULES OF ENGAGEMENT

Document Information:

  • Document Version: [VERSION]
  • Effective Date: [DATE]
  • Project: [PROJECT NAME]
  • Client: [CLIENT COMPANY NAME]
  • Testing Team: [TESTING TEAM NAME]

1. EXECUTIVE SUMMARY

1.1 Purpose

These Rules of Engagement define the specific guidelines, limitations, and procedures that will govern the penetration testing engagement for [CLIENT COMPANY NAME]. All testing activities must comply with these rules to ensure the safety and security of both the testing team and the client’s systems.

1.2 Scope

These rules apply to all penetration testing activities conducted as part of this engagement, including:

  • Network penetration testing
  • Web application testing
  • Mobile application testing
  • Social engineering testing
  • Physical security testing
  • Wireless network testing

1.3 Compliance

All testing activities must comply with:

  • Applicable laws and regulations
  • Industry standards and best practices
  • Client policies and procedures
  • Professional ethics and conduct
  • This Rules of Engagement document

2. TESTING SCOPE

2.1 In-Scope Systems

2.1.1 Network Infrastructure

  • Target Networks: [NETWORK RANGES]
  • Target Systems: [SYSTEM LIST]
  • Target Services: [SERVICE LIST]
  • Target Applications: [APPLICATION LIST]

2.1.2 Testing Activities

  • Vulnerability Assessment: [ACTIVITIES]
  • Penetration Testing: [ACTIVITIES]
  • Social Engineering: [ACTIVITIES]
  • Physical Security: [ACTIVITIES]

2.2 Out-of-Scope Systems

2.2.1 Excluded Systems

  • Production Systems: [EXCLUDED SYSTEMS]
  • Critical Infrastructure: [EXCLUDED SYSTEMS]
  • Third-Party Systems: [EXCLUDED SYSTEMS]
  • Legacy Systems: [EXCLUDED SYSTEMS]

2.2.2 Excluded Activities

  • Denial of Service: [PROHIBITED ACTIVITIES]
  • Data Modification: [PROHIBITED ACTIVITIES]
  • System Disruption: [PROHIBITED ACTIVITIES]
  • Unauthorized Access: [PROHIBITED ACTIVITIES]

3. TESTING CONSTRAINTS

3.1 Time Restrictions

3.1.1 Testing Windows

  • Allowed Hours: [TIME RANGE]
  • Prohibited Hours: [TIME RANGE]
  • Weekend Testing: [ALLOWED/PROHIBITED]
  • Holiday Testing: [ALLOWED/PROHIBITED]

3.1.2 Business Hours

  • Peak Business Hours: [HOURS]
  • Critical Business Periods: [PERIODS]
  • Maintenance Windows: [WINDOWS]
  • Emergency Procedures: [PROCEDURES]

3.2 System Constraints

3.2.1 System Availability

  • Critical Systems: [SYSTEMS AND RESTRICTIONS]
  • Production Systems: [SYSTEMS AND RESTRICTIONS]
  • Customer-Facing Systems: [SYSTEMS AND RESTRICTIONS]
  • Backup Systems: [SYSTEMS AND RESTRICTIONS]

3.2.2 Performance Constraints

  • Resource Usage Limits: [LIMITS]
  • Network Bandwidth Limits: [LIMITS]
  • CPU Usage Limits: [LIMITS]
  • Memory Usage Limits: [LIMITS]

3.3 Data Constraints

3.3.1 Data Access

  • Sensitive Data: [DATA TYPES AND RESTRICTIONS]
  • Personal Data: [DATA TYPES AND RESTRICTIONS]
  • Financial Data: [DATA TYPES AND RESTRICTIONS]
  • Intellectual Property: [DATA TYPES AND RESTRICTIONS]

3.3.2 Data Handling

  • Data Collection: [RESTRICTIONS]
  • Data Storage: [RESTRICTIONS]
  • Data Transmission: [RESTRICTIONS]
  • Data Disposal: [RESTRICTIONS]

4. PROHIBITED ACTIVITIES

4.1 System Disruption

4.1.1 Denial of Service

  • DoS Attacks: [PROHIBITED]
  • DDoS Attacks: [PROHIBITED]
  • Resource Exhaustion: [PROHIBITED]
  • Service Interruption: [PROHIBITED]

4.1.2 System Modification

  • Configuration Changes: [PROHIBITED]
  • Data Modification: [PROHIBITED]
  • System Updates: [PROHIBITED]
  • Service Restarts: [PROHIBITED]

4.2 Data Access

4.2.1 Unauthorized Access

  • Privilege Escalation: [RESTRICTIONS]
  • Lateral Movement: [RESTRICTIONS]
  • Data Exfiltration: [RESTRICTIONS]
  • Persistent Access: [RESTRICTIONS]

4.2.2 Data Handling

  • Data Copying: [RESTRICTIONS]
  • Data Transmission: [RESTRICTIONS]
  • Data Storage: [RESTRICTIONS]
  • Data Sharing: [RESTRICTIONS]

4.3 Network Activities

4.3.1 Network Disruption

  • Network Flooding: [PROHIBITED]
  • Routing Changes: [PROHIBITED]
  • DNS Manipulation: [PROHIBITED]
  • Network Segmentation: [PROHIBITED]

4.3.2 Traffic Interception

  • Man-in-the-Middle: [RESTRICTIONS]
  • Traffic Sniffing: [RESTRICTIONS]
  • Session Hijacking: [RESTRICTIONS]
  • Credential Theft: [RESTRICTIONS]

5. ALLOWED ACTIVITIES

5.1 Reconnaissance

5.1.1 Passive Reconnaissance

  • Public Information Gathering: [ALLOWED]
  • Search Engine Queries: [ALLOWED]
  • Social Media Analysis: [ALLOWED]
  • DNS Enumeration: [ALLOWED]

5.1.2 Active Reconnaissance

  • Port Scanning: [ALLOWED WITH RESTRICTIONS]
  • Service Enumeration: [ALLOWED WITH RESTRICTIONS]
  • Banner Grabbing: [ALLOWED WITH RESTRICTIONS]
  • Vulnerability Scanning: [ALLOWED WITH RESTRICTIONS]

5.2 Vulnerability Assessment

5.2.1 Automated Scanning

  • Vulnerability Scanners: [ALLOWED WITH RESTRICTIONS]
  • Network Scanners: [ALLOWED WITH RESTRICTIONS]
  • Web Scanners: [ALLOWED WITH RESTRICTIONS]
  • Database Scanners: [ALLOWED WITH RESTRICTIONS]

5.2.2 Manual Testing

  • Configuration Review: [ALLOWED]
  • Code Review: [ALLOWED]
  • Authentication Testing: [ALLOWED WITH RESTRICTIONS]
  • Authorization Testing: [ALLOWED WITH RESTRICTIONS]

5.3 Exploitation

5.3.1 Controlled Exploitation

  • Proof of Concept: [ALLOWED WITH RESTRICTIONS]
  • Vulnerability Validation: [ALLOWED WITH RESTRICTIONS]
  • Impact Assessment: [ALLOWED WITH RESTRICTIONS]
  • Risk Evaluation: [ALLOWED WITH RESTRICTIONS]

5.3.2 Post-Exploitation

  • System Information Gathering: [ALLOWED WITH RESTRICTIONS]
  • Network Mapping: [ALLOWED WITH RESTRICTIONS]
  • Privilege Escalation: [ALLOWED WITH RESTRICTIONS]
  • Lateral Movement: [ALLOWED WITH RESTRICTIONS]

6. COMMUNICATION PROCEDURES

6.1 Communication Channels

6.1.1 Primary Communication

  • Primary Contact: [CONTACT INFORMATION]
  • Communication Method: [METHOD]
  • Response Time: [TIME]
  • Escalation Process: [PROCESS]

6.1.2 Emergency Communication

  • Emergency Contact: [CONTACT INFORMATION]
  • Emergency Method: [METHOD]
  • Response Time: [TIME]
  • Escalation Process: [PROCESS]

6.2 Reporting Requirements

6.2.1 Daily Reporting

  • Report Format: [FORMAT]
  • Report Content: [CONTENT]
  • Report Timing: [TIMING]
  • Report Recipients: [RECIPIENTS]

6.2.2 Incident Reporting

  • Incident Definition: [DEFINITION]
  • Reporting Process: [PROCESS]
  • Response Time: [TIME]
  • Escalation Process: [PROCESS]

6.3 Status Updates

6.3.1 Progress Updates

  • Update Frequency: [FREQUENCY]
  • Update Content: [CONTENT]
  • Update Format: [FORMAT]
  • Update Recipients: [RECIPIENTS]

6.3.2 Milestone Updates

  • Milestone Definition: [DEFINITION]
  • Update Process: [PROCESS]
  • Update Timing: [TIMING]
  • Update Recipients: [RECIPIENTS]

7. EMERGENCY PROCEDURES

7.1 Incident Response

7.1.1 Incident Detection

  • Monitoring: [MONITORING PROCEDURES]
  • Alerting: [ALERTING PROCEDURES]
  • Reporting: [REPORTING PROCEDURES]
  • Documentation: [DOCUMENTATION PROCEDURES]

7.1.2 Incident Response

  • Assessment: [ASSESSMENT PROCEDURES]
  • Containment: [CONTAINMENT PROCEDURES]
  • Investigation: [INVESTIGATION PROCEDURES]
  • Recovery: [RECOVERY PROCEDURES]

7.2 Emergency Contacts

7.2.1 Internal Contacts

  • Project Manager: [CONTACT INFORMATION]
  • Technical Lead: [CONTACT INFORMATION]
  • Security Team: [CONTACT INFORMATION]
  • Management: [CONTACT INFORMATION]

7.2.2 External Contacts

  • Client Contact: [CONTACT INFORMATION]
  • Vendor Contact: [CONTACT INFORMATION]
  • Legal Contact: [CONTACT INFORMATION]
  • Emergency Services: [CONTACT INFORMATION]

7.3 Escalation Procedures

7.3.1 Escalation Levels

  • Level 1: [ESCALATION LEVEL]
  • Level 2: [ESCALATION LEVEL]
  • Level 3: [ESCALATION LEVEL]
  • Level 4: [ESCALATION LEVEL]

7.3.2 Escalation Criteria

  • Technical Issues: [CRITERIA]
  • Business Issues: [CRITERIA]
  • Legal Issues: [CRITERIA]
  • Security Issues: [CRITERIA]

8. DATA HANDLING

8.1 Data Classification

8.1.1 Data Types

  • Public Data: [DATA TYPES]
  • Internal Data: [DATA TYPES]
  • Confidential Data: [DATA TYPES]
  • Restricted Data: [DATA TYPES]

8.1.2 Data Handling Requirements

  • Collection: [REQUIREMENTS]
  • Storage: [REQUIREMENTS]
  • Transmission: [REQUIREMENTS]
  • Disposal: [REQUIREMENTS]

8.2 Data Security

8.2.1 Data Protection

  • Encryption: [REQUIREMENTS]
  • Access Control: [REQUIREMENTS]
  • Audit Logging: [REQUIREMENTS]
  • Backup: [REQUIREMENTS]

8.2.2 Data Retention

  • Retention Period: [PERIOD]
  • Storage Location: [LOCATION]
  • Access Rights: [RIGHTS]
  • Disposal Method: [METHOD]

9. COMPLIANCE REQUIREMENTS

9.1 Regulatory Compliance

9.1.1 Data Protection

  • GDPR: [REQUIREMENTS]
  • CCPA: [REQUIREMENTS]
  • HIPAA: [REQUIREMENTS]
  • SOX: [REQUIREMENTS]

9.1.2 Industry Standards

  • PCI DSS: [REQUIREMENTS]
  • ISO 27001: [REQUIREMENTS]
  • NIST Framework: [REQUIREMENTS]
  • CIS Controls: [REQUIREMENTS]

9.2.1 Authorization

  • Testing Authorization: [REQUIREMENTS]
  • Data Access Authorization: [REQUIREMENTS]
  • System Access Authorization: [REQUIREMENTS]
  • Network Access Authorization: [REQUIREMENTS]

9.2.2 Documentation

  • Legal Documentation: [REQUIREMENTS]
  • Compliance Documentation: [REQUIREMENTS]
  • Audit Documentation: [REQUIREMENTS]
  • Evidence Documentation: [REQUIREMENTS]

10. SAFETY GUIDELINES

10.1 System Safety

10.1.1 System Protection

  • Backup Procedures: [PROCEDURES]
  • Rollback Plans: [PLANS]
  • Monitoring: [MONITORING]
  • Alerting: [ALERTING]

10.1.2 Data Safety

  • Data Backup: [PROCEDURES]
  • Data Recovery: [PROCEDURES]
  • Data Integrity: [PROCEDURES]
  • Data Privacy: [PROCEDURES]

10.2 Team Safety

10.2.1 Personal Safety

  • Physical Safety: [GUIDELINES]
  • Legal Safety: [GUIDELINES]
  • Professional Safety: [GUIDELINES]
  • Reputation Safety: [GUIDELINES]

10.2.2 Professional Safety

  • Ethical Conduct: [GUIDELINES]
  • Professional Standards: [GUIDELINES]
  • Legal Compliance: [GUIDELINES]
  • Client Relations: [GUIDELINES]

11. MONITORING AND LOGGING

11.1 Monitoring Requirements

11.1.1 System Monitoring

  • Performance Monitoring: [REQUIREMENTS]
  • Security Monitoring: [REQUIREMENTS]
  • Network Monitoring: [REQUIREMENTS]
  • Application Monitoring: [REQUIREMENTS]

11.1.2 Activity Monitoring

  • Testing Activities: [REQUIREMENTS]
  • Access Activities: [REQUIREMENTS]
  • Data Activities: [REQUIREMENTS]
  • Communication Activities: [REQUIREMENTS]

11.2 Logging Requirements

11.2.1 Log Types

  • System Logs: [REQUIREMENTS]
  • Security Logs: [REQUIREMENTS]
  • Network Logs: [REQUIREMENTS]
  • Application Logs: [REQUIREMENTS]

11.2.2 Log Management

  • Log Collection: [REQUIREMENTS]
  • Log Storage: [REQUIREMENTS]
  • Log Analysis: [REQUIREMENTS]
  • Log Retention: [REQUIREMENTS]

12. VIOLATIONS AND CONSEQUENCES

12.1 Violation Types

12.1.1 Minor Violations

  • Procedural Violations: [VIOLATIONS]
  • Documentation Violations: [VIOLATIONS]
  • Communication Violations: [VIOLATIONS]
  • Timeline Violations: [VIOLATIONS]

12.1.2 Major Violations

  • Scope Violations: [VIOLATIONS]
  • Safety Violations: [VIOLATIONS]
  • Legal Violations: [VIOLATIONS]
  • Ethical Violations: [VIOLATIONS]

12.2 Consequences

12.2.1 Minor Consequences

  • Warning: [CONSEQUENCE]
  • Training: [CONSEQUENCE]
  • Documentation: [CONSEQUENCE]
  • Review: [CONSEQUENCE]

12.2.2 Major Consequences

  • Project Suspension: [CONSEQUENCE]
  • Team Removal: [CONSEQUENCE]
  • Legal Action: [CONSEQUENCE]
  • Contract Termination: [CONSEQUENCE]

13. SIGN-OFF AND APPROVAL

13.1 Client Approval

Client Representative: Name: [NAME] Title: [TITLE] Signature: [SIGNATURE] Date: [DATE]

Technical Lead: Name: [NAME] Title: [TITLE] Signature: [SIGNATURE] Date: [DATE]

13.2 Testing Team Approval

Project Manager: Name: [NAME] Title: [TITLE] Signature: [SIGNATURE] Date: [DATE]

Technical Lead: Name: [NAME] Title: [TITLE] Signature: [SIGNATURE] Date: [DATE]

📝 Template Usage Instructions

Step 1: Customization

  • Review and customize rules for your engagement
  • Update scope and constraints as needed
  • Modify communication procedures
  • Add client-specific requirements

Step 2: Review and Approval

  • Review with all stakeholders
  • Address any concerns or questions
  • Obtain formal approval
  • Document all decisions

Step 3: Implementation

  • Distribute to all team members
  • Ensure understanding of all rules
  • Implement monitoring and logging
  • Establish communication procedures

Step 4: Monitoring

  • Monitor compliance with rules
  • Address violations promptly
  • Update rules as needed
  • Maintain documentation

⚠️ Important Considerations

Clarity

  • Clear Language: Use clear, unambiguous language
  • Specific Details: Include specific, actionable information
  • Avoid Ambiguity: Eliminate ambiguous statements
  • Document Examples: Provide examples where helpful

Completeness

  • Comprehensive Coverage: Cover all relevant areas
  • Stakeholder Input: Include input from all stakeholders
  • Legal Review: Have legal review completed
  • Technical Review: Have technical review completed

Practicality

  • Realistic Rules: Ensure rules are realistic and achievable
  • Resource Alignment: Align rules with available resources
  • Timeline Feasibility: Ensure rules support project timeline
  • Risk Management: Address potential risks and challenges

This template is provided for informational purposes only and should be customized based on the specific requirements of each engagement. The Rules of Engagement should be reviewed and updated regularly to ensure they remain relevant and effective.