Rules of Engagement Vs. SOW

ovechtrickovechtrick Registered Users Posts: 2 ■■■□□□□□□□
in PenTest+
Hi all, long time lurker sitting for PT0-001 next week. I'm feeling pretty good about all of the topics except for SoW and RoE. (I know, dumb) Can someone please explain the difference between Rules of Engagement (RoE) and a Statement of Work (SoW)? Both documents seem like they include the same types of information. I've read Omar Santos' book, as well as the Raymond Nutting book, but cant seem to distinguish the difference. Any help would be great!
Tagged:
· Share on FacebookShare on Twitter

Comments

  • DZA_DZA_ Member Posts: 467 ■■■■■■■□□□
    My understanding that for Statement of Work (in the context of consulting or business) will define what deliverables will be created/handed over when engaged in a project or a business transaction. For example:

    Statement of work:
    - Delivery a pair of firewalls configured in high-availability
    - Configure web application firewall functionality for cross side scripting / input validation
    - Define and configure network to support firewall appliances

    In the context of pen testing (and correct me if I'm wrong guys for those who are in the field) is the restrictions or how you perform when you're conducting the pen test, for example: 

    - Can only perform pen testing after business hours (8:00 PM)
    - Limited to using only certain penetration tools
    - Provided limited knowledge of the network or full knowledge of the network 

    Cheers, 
    · Share on FacebookShare on Twitter
  • JDMurrayJDMurray Admin Posts: 13,090 Admin
    If the SoW does not include a pentest then there will be no need for an RoE agreement.
    Forum Admin at www.techexams.net
    --
    Credly
    LinkedIn
    Twitter
    · Share on FacebookShare on Twitter
  • yoba222yoba222 Member Posts: 1,237 ■■■■■■■■□□
    edited February 2019
    Based on my work experience, SOW is what you promise to do and ROE is what you promise not to do.
    A+, Network+, CCNA, LFCS,
    Security+, eJPT, CySA+, PenTest+,
    Cisco CyberOps, GCIH, VHL,
    In progress: OSCP
    · Share on FacebookShare on Twitter
  • ovechtrickovechtrick Registered Users Posts: 2 ■■■□□□□□□□
    Thank you all for your comments!
    · Share on FacebookShare on Twitter
  • walterbyrdwalterbyrd Member Posts: 40 ■■■□□□□□□□
    Seems to be grey area. For example, a list of IP ranges test, with instructions to not touch anything else. SOW or ROE?
    · Share on FacebookShare on Twitter
  • JDMurrayJDMurray Admin Posts: 13,090 Admin
    That clearly ROE. The rules state, "test only the hosts accessible at these IP addresses."  The SOW indicates the actual work (i.e., testing) that is to be performed on those IPs.
    Forum Admin at www.techexams.net
    --
    Credly
    LinkedIn
    Twitter
    · Share on FacebookShare on Twitter
  • iBrokeITiBrokeIT Member Posts: 1,318 ■■■■■■■■■□
    walterbyrd said:
    Seems to be grey area. For example, a list of IP ranges test, with instructions to not touch anything else. SOW or ROE?
    That is the ROE.  Think of the ROE as the technical parameters that define scope of the test on your network.

    The SOW is the business contract that defines the scope of the services that will be performed for $x. What type of testing? (Blackbox?,Crystal box?, exclude Social Engineering?)  When does the testing start? Duration? (1 week, 2 weeks, ect..)  What is the deliverable?  When will you receive it? ect..
    2019: GPEN | GCFE | GXPN | GICSP | CySA+ 
    2020: GCIP | GCIA 
    2021: GRID | GDSA | Pentest+ 
    2022: GMON | GDAT
    2023: GREM  | GSE | GCFA

    WGU BS IT-NA | SANS Grad Cert: PT&EH | SANS Grad Cert: ICS Security | SANS Grad Cert: Cyber Defense Ops SANS Grad Cert: Incident Response
    · Share on FacebookShare on Twitter
Sign In or Register to comment.