<div>
<div class="content wysiwyg-content">
I am looking for a broad scope on penetration testing/vulnerability exercises to engage a tender for 6-monthly assessments of our network. Most 3rd parties seem to steer you on the areas that should be included, but I was hoping for a more independent view on what type of areas are typically included for a thorough review, e.g. wireless, web apps, network devices, perimeter, build standards, end user equipment, telephony etc? I presume they will test as little or as much as you pay for, but some guidance on critical/desirable/little value per category would be most helpful so we know we are covering the critical areas at bare minimum, in line with budget. <br />
<br />
Also any guidance on certifications of companies to look out for as a marker of quality service, would also be useful.
</div>
</div>


I am looking for a broad scope on penetration testing/vulnerability exercises to engage a tender for 6-monthly assessments of our network. Most 3rd parties seem to steer you on the areas that should be included, but I was hoping for a more independent view on what type of areas are typically included for a thorough review, e.g. wireless, web apps, network devices, perimeter, build standards, end user equipment, telephony etc? I presume they will test as little or as much as you pay for, but some guidance on critical/desirable/little value per category would be most helpful so we know we are covering the critical areas at bare minimum, in line with budget. 

Also any guidance on certifications of companies to look out for as a marker of quality service, would also be useful.

pen testing scopes advice

A vulnerability is a weakness which allows an attacker to reduce a system's information assurance. Vulnerability is the intersection of three elements: a system susceptibility or flaw, attacker access to the flaw, and attacker capability to exploit the flaw. To exploit a vulnerability, an attacker must have at least one applicable tool or technique that can connect to a system weakness, known as the attack surface. Vulnerability management is the cyclical practice of identifying, classifying, remediating, and mitigating vulnerabilities. Other vulnerabilities include security risks, security defects and constructs in programming languages that are difficult to use properly.

Vulnerabilities

Operating system security (OS security) is the process of ensuring OS integrity, confidentiality and availability. OS security refers to specified steps or measures used to protect the OS from threats, viruses, worms, malware or remote hacker intrusions. OS security encompasses all preventive-control techniques, which safeguard any computer assets capable of being stolen, edited or deleted if OS security is compromised, including authentication, passwords and threats to systems and programs.

OS Security

Network Management involves issues that are independent of specific hardware or software, including email policies, upgrade planning, backup scheduling and working with managed service providers for Desktop-As-A-Service (DaaS), Software-As-A-Service (SaaS) and the like through the use of tools, coupled with manufacturer standards, best practice guidelines, policies and procedures plus all other relevant documentation. Network management also includes monitoring, alerting and reporting, management reporting, planning for device or service updates, the backup of configurations, the setting of key performance indicators and measures (KPIs/KPMs), associated service level agreements and problem records as part of the IT Service Management (ITSM) framework.

Network Management

Security is the protection of information systems from theft or damage to the hardware, the software, and the information on them, as well as from disruption or misdirection of the services they provide. The main goal of security is protecting assets, and an asset is anything of value and worthy of protection.  Information Security is a discipline of protecting information assets from threats through safeguards to achieve the objectives of confidentiality, integrity, and availability or CIA for short. On the other hand, disclosure, alteration, and disruption (DAD) compromise the security objectives.

Security

Networking is the process of connecting computing devices, peripherals and terminals together through a system that uses wiring, cabling or radio waves that enable their users to communicate, share information and interact over distances. Often associated are issues regarding operating systems, hardware and equipment, cloud and virtual networking, protocols, architecture, storage and management.

Networking

Network security consists of the policies adopted to prevent and monitor authorized access, misuse, modification, or denial of a computer network and network-accessible resources. Network security involves the authorization of access to data in a network, and covers a variety of computer networks; conducting transactions and communications among businesses, government agencies and individuals. Networks can be private, such as within a company, and others which might be open to public access.