Rules of Engagement Vs. SOW

ovechtrickovechtrick Registered Users Posts: 2 ■■■□□□□□□□
Hi all, long time lurker sitting for PT0-001 next week. I'm feeling pretty good about all of the topics except for SoW and RoE. (I know, dumb) Can someone please explain the difference between Rules of Engagement (RoE) and a Statement of Work (SoW)? Both documents seem like they include the same types of information. I've read Omar Santos' book, as well as the Raymond Nutting book, but cant seem to distinguish the difference. Any help would be great!
Tagged:

Comments

  • DZA_DZA_ Untitled. Member Posts: 443 ■■■■■■□□□□
    My understanding that for Statement of Work (in the context of consulting or business) will define what deliverables will be created/handed over when engaged in a project or a business transaction. For example:

    Statement of work:
    - Delivery a pair of firewalls configured in high-availability
    - Configure web application firewall functionality for cross side scripting / input validation
    - Define and configure network to support firewall appliances

    In the context of pen testing (and correct me if I'm wrong guys for those who are in the field) is the restrictions or how you perform when you're conducting the pen test, for example: 

    - Can only perform pen testing after business hours (8:00 PM)
    - Limited to using only certain penetration tools
    - Provided limited knowledge of the network or full knowledge of the network 

    Cheers, 
  • JDMurrayJDMurray MSIT InfoSec CISSP SSCP GSEC EnCE C|EH Cloud+ CySA+ CASP+ PenTest+ Security+ Surf City, USAAdmin Posts: 12,270 Admin
    If the SoW does not include a pentest then there will be no need for an RoE agreement.
  • yoba222yoba222 Senior Member Member Posts: 1,230 ■■■■■■■■□□
    edited February 2019
    Based on my work experience, SOW is what you promise to do and ROE is what you promise not to do.
    A+, Network+, CCNA, LFCS,
    Security+, eJPT, CySA+, PenTest+,
    Cisco CyberOps, GCIH, VHL,
    In progress: OSCP
  • ovechtrickovechtrick Registered Users Posts: 2 ■■■□□□□□□□
    Thank you all for your comments!
  • walterbyrdwalterbyrd Member Posts: 39 ■■■□□□□□□□
    Seems to be grey area. For example, a list of IP ranges test, with instructions to not touch anything else. SOW or ROE?
  • JDMurrayJDMurray MSIT InfoSec CISSP SSCP GSEC EnCE C|EH Cloud+ CySA+ CASP+ PenTest+ Security+ Surf City, USAAdmin Posts: 12,270 Admin
    That clearly ROE. The rules state, "test only the hosts accessible at these IP addresses."  The SOW indicates the actual work (i.e., testing) that is to be performed on those IPs.
  • iBrokeITiBrokeIT GICSP, GCIP, GXPN, GPEN, GWAPT, GCFE, GCIA, GCIH, GSEC, CySA+, Sec+, eJPT Member Posts: 1,309 ■■■■■■■■■□
    Seems to be grey area. For example, a list of IP ranges test, with instructions to not touch anything else. SOW or ROE?
    That is the ROE.  Think of the ROE as the technical parameters that define scope of the test on your network.

    The SOW is the business contract that defines the scope of the services that will be performed for $x. What type of testing? (Blackbox?,Crystal box?, exclude Social Engineering?)  When does the testing start? Duration? (1 week, 2 weeks, ect..)  What is the deliverable?  When will you receive it? ect..
    2019: GPEN | GCFE | GXPN | GICSP | CySA+ 
    2020: GCIP | GCIA | eCPPT | eWPT | eCTHP

    WGU BS IT-NA | SANS Grad Cert: PT&EH | SANS Grad Cert: ICS Security
Sign In or Register to comment.