We have decided to use Foundstone. What are the first steps?
We appreciate your business and are eager to get started, but first there are some key things that must be done before testing can begin. First and foremost, all legal paperwork must be completed before we can schedule a time to conduct the tests. Typically, the paperwork consists of a services agreement (terms and conditions), a statement of work, and possibly a purchase order, if required by your purchasing department.
What is the best way to reach Foundstone?
Contact Foundstone via the method most convenient for you. Our sales staff can be reached by phone at 949-297-5600, though email at firstname.lastname@example.org, or via our website.
Is it possible to revise the scope of work? If so, how?
Yes. The scope can easily be revised simply by contacting your account manager. Typically, project scoping occurs before the statement of work, but an addendum to the existing statement of work can also be created.
How soon should the kickoff happen?
Foundstone conducts a kickoff call at least one week prior to the start date of the engagement. That provides you with enough time to arrange any logistical and technical details that may be needed for the successful commencement of the assessment.
Who should be on the kickoff call and who should I tell about this work?
Exactly who needs to be on the kickoff call and who needs to be told about the project will depend on the overall objectives of the assessment and how we conduct the actual test. Customers may ask us to see if their operational team is alerted while we assess their network, others want to gain assurance that preproduction systems are secure before deployment, and other clients request a test of their production environment. In general, we recommend that you tell colleagues about this project as early as possible, and offer a thorough and detailed explanation of the work. Getting agreement early will prevent unexpected objections close to the testing dates that may cause delays. We recommend you consider notifying the following:
Who actually does the work and how does Foundstone manage its projects?
All technical testing is conducted by Foundstone security consultants. All employees are full-time, bonded, and have undergone thorough background checks. We do not use contractors.
Each engagement has a project team. You may not interact with all members of the team, but each member plays a vital role in the success of your engagement. Typical teams include:
How can I contact Foundstone with questions or concerns?
The Foundstone team will provide detailed contact information for all team members involved with this assessment. For most cases, the project manager will be able to help you with all questions, but you will also receive contact information for the regional director and account manager if any issues need to be escalated. This contact information is sent with the pre-engagement checklist.
Can I request specific consultants for this work?
If there are specific consultants you would like to work with, please let us know as soon as possible. If the consultant has not been previously committed, we will work on your request. Be assured that we are as committed to the success of your project as you are, so we will always staff the engagement with the appropriate consultants to accomplish the project goals. Furthermore, a key part of Foundstone’s success is the use of proven methodologies that allow us to provide consistent results from any of our consultants.
What information does Foundstone need to begin the testing?
We generally need two types of information from you: logistical and technical.
Will Foundstone be able to address any specific concerns that we might have?
Absolutely. If there are any areas of assessment that you are particularly interested in, please let the project manager know and we will do our best to address those concerns for you. This is the first question that the Foundstone project manager will ask at the kickoff meeting.
How much visibility do we have in the assessment process?
During the kickoff meeting, the project manager will detail the various steps involved in the assessment process. Also, daily updates will include specifics on the activities performed that day and plans for the next day. At the end of the project, the technical report provides details on the methodology used to perform the engagement as well as testing notes. If you need more details, or if you would like to “follow along” during the engagement, please let the project manager know before or during the kickoff meeting. We are happy to work with you to meet your requests, and questions are always welcome.
What happens if my infrastructure is not ready or doesn’t work on the test date?
When we schedule an engagement, we work with you to help you understand the requirements for success. This includes the technical and logistical items listed above. If these items are not available or the system is not working on the day the testing begins, we are generally not able to proceed. You should check your specific terms and conditions. Typically, this will incur a penalty cost and your engagement will be resubmitted to scheduling and may be delayed. It is your responsibility to ensure that the items requested in the pre-engagement checklist are completed or Foundstone will not schedule your project to begin.
What time of day will the testing be conducted?
Typically we perform a majority of the testing during normal business hours where you are located. This allows us to contact you immediately if any high-risk issues are identified. We do use some automated scanning tools that take a while to run, so those are often run overnight. We have the ability to access any of our assessment servers remotely, so we can immediately stop a scan if necessary. We also have the ability to schedule many of our scanning tools to run only within certain time windows, if necessary. We can adjust the timing, but please keep in mind that overly restrictive time windows will limit the effectiveness of our tools and the results we are able to provide within the assessment period. If your testing will require work outside of normal business hours, you should notify the project manager as soon as possible and prior to the kickoff call.
If Foundstone gains access, will attempts be made to leverage that access to compromise other systems?
If we gain access to a system, we stop that line of testing and take a screenshot to illustrate the level of access we obtained. We provide you with that information and work with you to determine if you want to pursue further testing to clarify the risk posed to your organization.
How long after the assessment will I see the results?
We provide daily updates throughout the assessment period with a preliminary findings document that details the issues identified to date. These findings are in the same format provided in the technical section of our report, so you will see the results almost exactly as they will be delivered in the final report. Additionally, if any high-risk issues are found that would allow an attacker to gain unauthorized access to a system or sensitive data, these results will be provided immediately without waiting until the next daily update. After the conclusion of the testing, we typically provide a draft report within five business days.
What constitutes the final deliverable?
The standard final deliverable is the technical report, which includes an executive summary and any raw data collected during the project. Check your statement of work for any additional deliverables such as a technical presentation, an executive presentation, or a certification statement. In addition we can also deliver custom reports such as a comma-separated file containing findings.
What can I expect to see in the report?
The technical report provides details on the project, including the scope of the assessment, the positive aspects identified, the vulnerabilities identified, tactical and strategic recommendations to help remediate vulnerabilities, detailed notes collected during the engagement, and the methodology followed to perform the assessment.
The executive summary contains a high-level view of the project, including a short statement of the project scope, an overview of the findings, a set of strategic recommendations, and a security report card for the assessed areas that compares your organization to industry averages.
If you have additional requirements for the reports, please let your project manager know before or during the kickoff meeting. We can accommodate most requests if they are made before we begin the assessment.
Will I have a chance to review the report before it is finalized?
Yes. We provide all reports in draft format (in Microsoft Word) and ask for your feedback within five business days. We then make any requested modifications before finalizing the report. If we do not have comments from you at the end of five working days, we will confirm that you do not have any feedback and we will finalize the draft. We are usually only able to make one set of changes to the report, so it is essential that you provide us with all of your feedback and detailed comments in writing at one time, so we can address all of your concerns.
Will Foundstone retest the issues identified during the assessment once they are resolved?
If you would like to include retesting, contact your account manager to add it to the statement of work to ensure appropriate resources will be available.
What measures does Foundstone take to ensure the security of our information?
All client information is PGP-encrypted while it is stored on laptops during an engagement. This is in addition to the use of full disk encryption on consultant laptop hard drives. Also, all email communication with you containing findings or other sensitive information is encrypted. The vulnerabilities are discussed only with the members of your staff that you designate. After an engagement is completed, the laptops are cleaned of any client information using secure deletion utilities, and final reports are centrally archived.
Should we expect any downtime during testing?
Foundstone takes extensive measures to ensure that the assessment does not result in any downtime. Downtime related to a Foundstone assessment has been extremely rare, but the possibility cannot be completely ruled out. Please convey to the project manager any assets that have high availability requirements and Foundstone consultants will use due care. These assets should be noted in the pre-engagement checklist.
Will any intrusive testing be performed?
We do not run any automated tools, exploits, or scripts that are known to cause a denial of service either as the main goal of the exploit or as a side effect. Most of our application assessments are performed using manual processes, and all of our automated scans are run in a nonintrusive mode. There is a minimal risk that nonintrusive scans will cause issues for some legacy network devices.
Do I have to stop updates to the application while Foundstone is performing the testing?
To perform a thorough, comprehensive test it is important that Foundstone is provided access to a stable testing environment. This will increase productivity and avoid any unexpected delays. We discourage you from performing any changes to the application while testing is in progress. Note: This is specific only to our Software & Application Security Services.
What will mark the project close out?
Once the final technical report and executive summary have been accepted, it marks the end of the project assessment. Foundstone conducts a close-out meeting to provide details on the findings and recommendations, and also addresses any outstanding concerns. Foundstone then requests a signed engagement activity report (EAR) and feedback form.
What if I have questions after the close-out meeting?
We encourage our clients to contact us with any follow-up questions. Someone from the Foundstone team will get back to you as soon as possible.
Who do I contact for follow-up work?
Please contact the account manager or project manager for all follow-up work requests and proposals. Their contact information is provided in the pre-engagement checklist.