Network Segmentation Assessment -- Scope Document
Engagement Overview
Client: Maskan Properties Contact: Fatima Al-Sulaiti, Chief Operating Officer IT Contact: Ahmed Khalil, Director of IT Assessment Type: Network segmentation assessment and hardening recommendation Duration: Up to 2 months (insurance compliance deadline: 3 months from engagement start)
Client Information
Maskan Properties operates 12 residential and commercial buildings across Doha and Al Wakra, Qatar. Each building has its own local network supporting tenant Wi-Fi, building management systems (HVAC, fire suppression, elevators), CCTV surveillance, and electronic access control. The buildings range from new residential towers to an older mixed-use complex in Al Wakra. Building networks were deployed incrementally as each property was added to the portfolio.
Scope
In-Scope Systems
- All building network infrastructure across 12 properties
- Tenant Wi-Fi networks and access points
- Building management systems (BMS) including HVAC, fire suppression, elevator controls
- CCTV surveillance network and management interfaces
- Electronic access control systems (door locks, readers, controllers)
- Inter-building network connectivity
- Remote access arrangements (VPN, third-party vendor access)
- Network segmentation between system types within each building
- Network segmentation between buildings
Out-of-Scope
- Individual tenant devices and personal networks
- Cloud-hosted services and SaaS applications
- Mobile applications
- Physical security assessments (locks, cameras as physical devices)
- Social engineering and phishing assessments
- Wireless signal analysis and RF testing
- Endpoint security on workstations and servers
Rules of Engagement
- Operational continuity is mandatory. Buildings must remain fully operational throughout the assessment. No service disruption to tenants, building systems, or access control.
- Testing during off-peak hours preferred. Active scanning and lateral movement testing should be conducted during off-peak hours (22:00-06:00 local time) where possible to minimize any risk of service impact.
- Coordinate with IT. All active testing must be coordinated with Ahmed Khalil (Director of IT) in advance. Ahmed will provide technical access and documentation as needed.
- No modifications to production systems without approval. Any configuration changes (segmentation, firewall rules) must be documented and approved before implementation. Changes to the lab/test environment are unrestricted.
- Findings reported within 48 hours of discovery. Critical findings (life-safety system exposure) must be reported to Fatima Al-Sulaiti and Ahmed Khalil within 48 hours.
- Data handling. Any data encountered during assessment must be treated as confidential. Assessment logs and findings stored securely. No tenant data to be extracted or stored outside the assessment environment.
Timeline
| Phase | Duration | Description |
|---|---|---|
| Connectivity assessment | 2 weeks | Map current network topology and identify segmentation failures |
| Segmentation design | 1 week | Design zone-based segmentation architecture |
| Implementation and testing | 2 weeks | Implement segmentation, firewall rules, and detection |
| Lateral movement verification | 1 week | Systematic verification from attacker perspective |
| Reporting | 1 week | Compile findings, remediation plan, and cost estimates |
| Total | 7 weeks | Within the 2-month assessment window |
Points of Contact
| Name | Role | Contact | Availability |
|---|---|---|---|
| Fatima Al-Sulaiti | COO, engagement sponsor | f.alsulaiti@maskanproperties.qa | Business hours, responsive to email |
| Ahmed Khalil | Director of IT, technical contact | a.khalil@maskanproperties.qa | Business hours + on-call for testing windows |