CHAPTER 8 - Management of a PenTest

Abstract

This chapter expands on the high-level discussion of the Project Management Body of Knowledge (PMBOK) methodology of penetration testing. It discusses how project management fits within an organization and considerations that need to be made during the life of a professional penetration test (PenTest) project by management. Composition of a professional penetration test team can vary dramatically, depending on the scope of the project and organizational structure. The roles and responsibilities of the different penetration test team members and stakeholders are discussed, and the key aspects necessary to maintain and organize a capable PenTest team are identified. The different phases of project within the PMBOK include: Initiating, Planning, Executing, and Closing. These four stages have oversight through the Monitoring and Controlling processes. There are only two processes within the initiating stage of a project—develop project charter and identify stakeholders. In the planning stage of a penetration test, three processes that are important for a project manager to effectively develop are the Plan Risk Management, Identify Risks, and Plan Risk Responses. Processes within the executing phase that are more intensive within a professional penetration test include Acquiring the Project Team, Developing the Project Team, and Managing Stakeholder Expectations. In the monitoring and control phase of a penetration test, two areas that pose particular problems within a professional penetration test are scope and schedule control. The PMBOK identifies two tasks as part of the closing phase—Close Project or Phase and Close procurement. All phases of a project include challenges that must be overcome and opportunities to improve the long-term success of the team and its members.