Rules of Engagement Vs. SOW
ovechtrick
Registered Users Posts: 2 ■■■□□□□□□□
in PenTest+
Hi all, long time lurker sitting for PT0-001 next week.
I'm feeling pretty good about all of the topics except for SoW and RoE. (I know, dumb)
Can someone please explain the difference between Rules of Engagement (RoE) and a Statement of Work (SoW)? Both documents seem like they include the same types of information. I've read Omar Santos' book, as well as the Raymond Nutting book, but cant seem to distinguish the difference. Any help would be great!
Comments
-
DZA_ Member Posts: 467 ■■■■■■■□□□My understanding that for Statement of Work (in the context of consulting or business) will define what deliverables will be created/handed over when engaged in a project or a business transaction. For example:Statement of work:- Delivery a pair of firewalls configured in high-availability- Configure web application firewall functionality for cross side scripting / input validation- Define and configure network to support firewall appliancesIn the context of pen testing (and correct me if I'm wrong guys for those who are in the field) is the restrictions or how you perform when you're conducting the pen test, for example:- Can only perform pen testing after business hours (8:00 PM)- Limited to using only certain penetration tools- Provided limited knowledge of the network or full knowledge of the network
Cheers, -
JDMurray Admin Posts: 13,099 AdminIf the SoW does not include a pentest then there will be no need for an RoE agreement.
-
yoba222 Member Posts: 1,237 ■■■■■■■■□□Based on my work experience, SOW is what you promise to do and ROE is what you promise not to do.A+, Network+, CCNA, LFCS,
Security+, eJPT, CySA+, PenTest+,
Cisco CyberOps, GCIH, VHL,
In progress: OSCP -
walterbyrd Member Posts: 40 ■■■□□□□□□□Seems to be grey area. For example, a list of IP ranges test, with instructions to not touch anything else. SOW or ROE?
-
JDMurray Admin Posts: 13,099 AdminThat clearly ROE. The rules state, "test only the hosts accessible at these IP addresses." The SOW indicates the actual work (i.e., testing) that is to be performed on those IPs.
-
iBrokeIT Member Posts: 1,318 ■■■■■■■■■□walterbyrd said:Seems to be grey area. For example, a list of IP ranges test, with instructions to not touch anything else. SOW or ROE?
The SOW is the business contract that defines the scope of the services that will be performed for $x. What type of testing? (Blackbox?,Crystal box?, exclude Social Engineering?) When does the testing start? Duration? (1 week, 2 weeks, ect..) What is the deliverable? When will you receive it? ect..2019: GPEN | GCFE | GXPN | GICSP | CySA+
2020: GCIP | GCIA
2021: GRID | GDSA | Pentest+
2022: GMON | GDAT
2023: GREM | GSE | GCFA
WGU BS IT-NA | SANS Grad Cert: PT&EH | SANS Grad Cert: ICS Security | SANS Grad Cert: Cyber Defense Ops | SANS Grad Cert: Incident Response