Security Assessment Scope Document
Client: Reseau Sante du Nord Contact: Marie-Claire Desrosiers, Executive Director IT Contact: Frantz (IT Administrator) Assessment Type: Network and Web Application Security Assessment Purpose: Donor compliance -- European health foundation requires security assessment before funding renewal
Authorized Targets
| Target | Service | Port | Description |
|---|---|---|---|
| ehr-web | HTTP (Flask) | 80 | Electronic Health Record web application -- patient records, search, clinical notes |
| ssh-server | SSH (OpenSSH) | 22 | Remote administration access used by Frantz |
| ftp-server | FTP (vsftpd) | 21 | File transfer service -- used for data exports |
| vpn-sim | VPN | -- | VPN configuration simulator -- configuration review only, no active exploitation |
| grafana | HTTP (Grafana) | 3000 | Monitoring dashboard -- configuration and access review |
Rules of Engagement
- Testing is authorized against all targets listed above during the assessment window
- Document all exploitation attempts, successful or not
- Do not modify patient records in the EHR database -- read access and injection testing are authorized, but do not alter, delete, or corrupt existing data
- Do not perform denial-of-service testing -- the clinics operate daily and service availability is critical
- Credential testing (brute-force) is authorized against SSH and the EHR web application login
- SQL injection and cross-site scripting testing are authorized against the EHR web application
Pivoting Rules
- Lateral movement between authorized services is permitted -- if credentials discovered on one service grant access to another authorized service, that access may be tested
- VPN endpoint enumeration is permitted -- review VPN configurations for security weaknesses
- Do NOT exploit VPN to reach simulated clinic endpoints -- the VPN simulator is for configuration review only
- Any discovery of services or data not listed above must be reported, not investigated
VPN Endpoint Restrictions
The VPN simulator contains configuration files for 6 clinics. Review these configurations for security weaknesses (shared keys, weak encryption, configuration errors). Do not attempt to establish VPN tunnels or reach simulated clinic networks.
Out of Scope
- Actual clinic networks (the lab simulates the central server only)
- External DNS infrastructure
- Mobile device assessment (note as future recommendation if relevant)
- Social engineering of staff
- Physical security assessment
Reporting Requirements
The assessment report must be suitable for two audiences:
- Marie-Claire and the donor foundation -- executive summary in non-technical language explaining what was found and what it means for patient data security
- Frantz (IT administrator) -- technical findings with specific remediation instructions
Include CVSS scores with environmental adjustments reflecting the healthcare context.